Bluetooth Low Energy (BLE) Dataset: Raw-Capture for Intrusion Analysis
Description
We produced a novel dataset comprising raw BLE advertisement traffic collected across a variety of scenarios designed to reflect both ambient and malicious behavior. The dataset includes unfiltered advertisement packets recording key BLE-Layer fields. These features provide critical visibility into the structure and dynamics of BLE broadcasting, enabling fine-grained analysis of anomalous behaviors such as packet flooding, MAC spoofing and unusual transmission patterns. This dataset provides a foundation for exploring BLE-specific threat detection by offering access to advertisement-layer traffic under both benign and adversarial conditions. It includes granular packet-level information such as MAC addresses, PDU types, and payload contents, enabling the study of broadcast anomalies, spoofing behaviors, and traffic manipulation patterns. ******************** Data Statistics ******************* The dataset comprises two categories of BLE traffic captures collected in a controlled testbed with realistic ambient noise. ***Extended captures: (~24 hours total)*** were recorded overnight to minimize interference. Two adversarial sessions captured BLE spam attacks using randomized MAC addresses: the first ran for ~6 hours yielding 1,488,501 packets, and the second for ~5.5 hours yielding 1,769,635 packets. A 12-hour benign baseline session captured ambient traffic only from idle smartphones, smart home devices, and BLE accessories, producing 977,187 packets. ***Short captures*** consist of four one-hour segments with MAC randomization disabled to enable deterministic packet attribution. These include one attack-free baseline (210,107 packets), one high-frequency spam session at 20 ms intervals (661,873 packets), and two sessions at 100 ms intervals (333,919 and 305,790 packets), representing stealthy and maximal attack profiles respectively. Together, the extended captures reveal longer-term behavioral trends while the short sessions enable precise cross-condition comparison, supporting use cases such as anomaly detection and behavioral modeling.
Files
Steps to reproduce
************ Step-by-Step Guide to Reproducing the BLE Dataset ****************** **** Assemble a Heterogeneous Device Set **** Android: Samsung Galaxy S8 Windows: Dell Inspiron laptop iOS/iPadOS: 9th-generation Apple iPad Keep all three devices in the same room, connected to power, and with Bluetooth enabled for the entire experiment. **** Add Background BLE Noise **** Place a few always-on, BLE-enabled gadgets nearby to mimic a typical IoT environment: Govee Bluetooth thermometer Bose Revolve SoundLink speaker Few Apple AirTags (e.g., attached to pet collars) Smart Thermometer Do not pair these devices; their periodic advertisement packets will provide realistic ambient traffic. **** Configure the Adversary **** Use a Flipper Zero loaded with a BLE-spam application, or any similar android application Set the app to broadcast spoofed advertisement packets at adjustable intervals (20 ms – 200 ms). Enable automatic MAC-address randomization to make the traffic harder to trace. **** Prepare the Sniffer **** Plug in a Nordic nRF52840 USB dongle. Install nRF Sniffer for Bluetooth LE firmware on the dongle. Launch Wireshark with the nRF Sniffer plugin enabled so BLE packets decode correctly. **** Capture Traffic **** Begin recording in Wireshark. Collect several baseline sessions (only ambient devices active). Collect several attack sessions (start the Flipper Zero spam broadcast). Vary attack parameters if desired (e.g., different intervals or payloads). NOTE: For each session, log start/end times and any configuration changes. **** Save and Organize the Dataset **** Export each Wireshark capture as a PCAP or PCAPNG file. Name files clearly (e.g., baseline_01.pcapng, attack_20ms_randomMAC_01.pcapng). Store accompanying metadata (device list, timestamps, sniffer settings, attack parameters) in a separate README or CSV for easy reference. Following these steps will reproduce a dataset that contains a mix of benign background BLE advertisements and high-frequency spoofed spam traffic, suitable for analyzing or benchmarking BLE intrusion-detection techniques.
Institutions
- Mercy UniversityNew York, Dobbs Ferry
- University of GroningenGroningen, Groningen