____ __ _ __ ___ ____ ____
( _ \( ( \ / _\ / __)( _ \( _ \
) __// // \\__ \ ) __/ ) /
(__) \_)__)\_/\_/ (___/(__) (__\_)
Bluetooth Scanner & Logger
Core Function: Bluelog is a command-line Bluetooth scanner designed to rapidly discover and log all detectable Bluetooth devices within its range.
Primary Use-Cases:
Conducting physical security site surveys to identify Bluetooth-enabled assets.
Detecting unauthorized or rogue Bluetooth devices on a corporate campus.
Building a baseline of known devices for ongoing security monitoring.
Performing passive reconnaissance during an authorized penetration test.
Penetration Testing Phase: Reconnaissance (Information Gathering).
Brief History: Created by Tom Nardi, Bluelog was designed from the ground up to be a simple yet effective tool for unattended, long-term data collection. Its focus on logging rather than interactive use makes it ideal for passive intelligence gathering during security assessments.
Before deployment, an operator must ensure the tool is present and correctly installed on the testing machine. Verifying the tool's functionality through its help menu is a critical first step.
This command uses the which utility to search the system's PATH for the bluelog executable.
Command:
Bash
which bluelog
Command Breakdown:
which: A Linux command that locates the executable file associated with a given command.
bluelog: The name of the executable to find.
Ethical Context & Use-Case: During the setup phase of a security audit, you must verify that all necessary tools are installed and accessible. This command confirms that Bluelog is ready for use without having to run it.
--> Expected Output:
/usr/bin/bluelog
This command uses the Advanced Package Tool (APT) to install the Bluelog package.
Command:
Bash
sudo apt install bluelog
Command Breakdown:
sudo: Executes the command with superuser (root) privileges.
apt: The package manager for Debian-based Linux distributions like Kali Linux.
install: The apt command to install a new package.
bluelog: The name of the package to install.
Ethical Context & Use-Case: If a pre-assessment check reveals that Bluelog is not installed on your authorized testing machine, this is the standard command to provision it. Ensure you have the necessary system permissions to install new software.
--> Expected Output:
Reading package lists... Done Building dependency tree... Done Reading state information... Done The following NEW packages will be installed: bluelog 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 46.2 kB of archives. After this operation, 198 kB of additional disk space will be used. Get:1 http://kali.download/kali kali-rolling/main amd64 bluelog amd64 1.1.2-5 [46.2 kB] Fetched 46.2 kB in 1s (86.3 kB/s) Selecting previously unselected package bluelog. (Reading database ... 312548 files and directories currently installed.) Preparing to unpack .../bluelog_1.1.2-5_amd64.deb ... Unpacking bluelog (1.1.2-5) ... Setting up bluelog (1.1.2-5) ... Processing triggers for man-db (2.12.0-1) ...
This command invokes the built-in help menu, which details all available flags and options.
Command:
Bash
bluelog -h
Command Breakdown:
bluelog: The executable for the tool.
-h: The "help" flag, a standard option for displaying usage information.
Ethical Context & Use-Case: Consulting the help menu is a fundamental skill. It serves as a quick reference for syntax and available options before initiating a scan, ensuring the command is constructed correctly to meet the engagement's specific data collection requirements.
--> Expected Output:
Bluelog (v1.1.2) by Tom Nardi "MS3FGX" (MS3FGX@gmail.com) ---------------------------------------------------------------- Bluelog is a Bluetooth site survey tool, designed to tell you how many discoverable devices there are in an area as quickly as possible. As the name implies, its primary function is to log discovered devices to file rather than to be used interactively. Bluelog could run on a system unattended for long periods of time to collect data. Bluelog also includes a mode called "Bluelog Live" which creates a webpage of the results that you can serve up with your HTTP daemon of choice. See the "README.LIVE" file for details. For more information, see: www.digifail.com Basic Options: -i <interface> Sets scanning device, default is "hci0" -o <filename> Sets output filename, default is "devices.log" -v Verbose, prints discovered devices to the terminal -q Quiet, turns off nonessential terminal outout -d Enables daemon mode, Bluelog will run in background -k Kill an already running Bluelog process -l Start "Bluelog Live", default is disabled Logging Options: -n Write device names to log, default is disabled -m Write device manufacturer to log, default is disabled -c Write device class to log, default is disabled -f Use "friendly" device class, default is disabled -t Write timestamps to log, default is disabled -x Obfuscate discovered MACs, default is disabled -e Encode discovered MACs with CRC32, default disabled -b Enable BlueProPro log format, see README Advanced Options: -r <retries> Name resolution retries, default is 3 -a <minutes> Amnesia, Bluelog will forget device after given time -w <seconds> Scanning window in seconds, see README -s Syslog only mode, no log file. Default is disabled
This section details the operational use of Bluelog, from basic scans to more complex data logging configurations. Each example is presented within an ethical framework, assuming all activities are authorized.
1. Objective: Initiate a Default Scan Command: bluelog Command Breakdown:
bluelog: Executes the tool with default settings. It will auto-detect the Bluetooth interface and create a log file with a timestamped name (e.g., bluelog-YYYY-MM-DD-HHMM.log). Ethical Context & Use-Case: This is the simplest way to begin a site survey. It's useful for a quick, initial assessment of the Bluetooth environment in an authorized area to get a rough count of discoverable devices. --> Expected Output:
Bluelog (v1.1.2) by MS3FGX --------------------------- Autodetecting device...OK Opening output file: bluelog-2025-08-17-1615.log...OK Writing PID file: /tmp/bluelog.pid...OK Scan started at [08/17/25 16:15:30] on D4:8A:3D:7B:1C:9F. Hit Ctrl+C to end scan.
2. Objective: Scan in Verbose Mode Command: bluelog -v Command Breakdown:
bluelog: The base command.
-v: The verbose flag, which prints discovered devices to the terminal in real-time in addition to logging them. Ethical Context & Use-Case: Verbose mode is essential for active monitoring during a physical walkthrough of a facility. It provides immediate feedback, allowing the security professional to correlate discovered devices with their physical location instantly. --> Expected Output:
Bluelog (v1.1.2) by MS3FGX --------------------------- Autodetecting device...OK Opening output file: bluelog-2025-08-17-1616.log...OK Writing PID file: /tmp/bluelog.pid...OK Scan started at [08/17/25 16:16:45] on D4:8A:3D:7B:1C:9F. Hit Ctrl+C to end scan. [16:16:48] Discovered: 4C:B1:3D:8A:EF:01 [16:16:50] Discovered: 78:4F:43:6A:C1:B2
3. Objective: Specify a Custom Output Filename Command: bluelog -o project_alpha_site_survey.log Command Breakdown:
bluelog: The base command.
-o project_alpha_site_survey.log: The output flag, sets the log filename to project_alpha_site_survey.log. Ethical Context & Use-Case: For organized project management during a penetration test, using descriptive filenames is crucial. This command ensures that evidence and logs are clearly labeled according to the specific engagement (e.g., "Project_Alpha"). --> Expected Output:
Bluelog (v1.1.2) by MS3FGX --------------------------- Autodetecting device...OK Opening output file: project_alpha_site_survey.log...OK Writing PID file: /tmp/bluelog.pid...OK Scan started at [08/17/25 16:17:55] on D4:8A:3D:7B:1C:9F. Hit Ctrl+C to end scan.
4. Objective: Specify the Scanning Interface Command: bluelog -i hci1 Command Breakdown:
bluelog: The base command.
-i hci1: The interface flag, explicitly tells Bluelog to use the Bluetooth adapter hci1 for scanning. Ethical Context & Use-Case: On a testing machine with multiple Bluetooth adapters (e.g., an internal one and a more powerful external USB one), this command allows you to select the appropriate adapter for the task, such as one with a high-gain antenna for better range. --> Expected Output:
Bluelog (v1.1.2) by MS3FGX --------------------------- Using device: hci1...OK Opening output file: bluelog-2025-08-17-1618.log...OK Writing PID file: /tmp/bluelog.pid...OK Scan started at [08/17/25 16:18:21] on 00:1A:7D:DA:71:13. Hit Ctrl+C to end scan.
5. Objective: Run a Quiet Scan with a Custom Filename Command: bluelog -q -o quiet_scan.log Command Breakdown:
bluelog: The base command.
-q: The quiet flag, suppresses all non-essential terminal output (like the banner).
-o quiet_scan.log: Sets the output log filename. Ethical Context & Use-Case: When running Bluelog as a background script or in an automated fashion, the -q flag is used to prevent unnecessary text from cluttering logs or standard output streams. --> Expected Output:
Scan started.
6. Objective: Run a Verbose Scan with a Custom Filename and Interface Command: bluelog -v -i hci1 -o custom_verbose_scan.log Command Breakdown:
bluelog: The base command.
-v: Enables verbose output to the terminal.
-i hci1: Specifies hci1 as the scanning interface.
-o custom_verbose_scan.log: Sets the log filename. Ethical Context & Use-Case: This is a common combination for active, hands-on surveying. It directs output to a specific project file while providing real-time feedback on a designated high-power adapter, maximizing efficiency during a physical walkthrough. --> Expected Output:
Bluelog (v1.1.2) by MS3FGX --------------------------- Using device: hci1...OK Opening output file: custom_verbose_scan.log...OK Writing PID file: /tmp/bluelog.pid...OK Scan started at [08/17/25 16:20:10] on 00:1A:7D:DA:71:13. Hit Ctrl+C to end scan. [16:20:13] Discovered: 5C:F3:70:6A:B8:DE
7. Objective: Log Device Names Command: bluelog -n Command Breakdown:
bluelog: The base command.
-n: The name flag. Instructs Bluelog to perform a name lookup for each discovered device and include it in the log. Ethical Context & Use-Case: Capturing device names (e.g., "John's iPhone", "Conference Room Speaker") adds critical context to the raw MAC addresses. This helps in identifying the purpose and potential owner of a device during an asset inventory or rogue device hunt. --> Expected Output:
Bluelog (v1.1.2) by MS3FGX --------------------------- Autodetecting device...OK Opening output file: bluelog-2025-08-17-1621.log...OK Writing PID file: /tmp/bluelog.pid...OK Scan started at [08/17/25 16:21:15] on D4:8A:3D:7B:1C:9F. Hit Ctrl+C to end scan.
(The log file bluelog-2025-08-17-1621.log would contain entries like: 4C:B1:3D:8A:EF:01 iPhone)
8. Objective: Log Device Manufacturer Command: bluelog -m Command Breakdown:
bluelog: The base command.
-m: The manufacturer flag. Bluelog will identify the manufacturer based on the OUI (Organizationally Unique Identifier) of the MAC address. Ethical Context & Use-Case: Logging the manufacturer is vital for classifying devices. It allows a security analyst to quickly sort devices from vendors like Apple, Samsung, or Cisco, which can help in identifying corporate-issued hardware versus personal devices. --> Expected Output:
Bluelog (v1.1.2) by MS3FGX --------------------------- Autodetecting device...OK Opening output file: bluelog-2025-08-17-1622.log...OK Writing PID file: /tmp/bluelog.pid...OK Scan started at [08/17/25 16:22:20] on D4:8A:3D:7B:1C:9F. Hit Ctrl+C to end scan.
(The log file bluelog-2025-08-17-1622.log would contain entries like: 4C:B1:3D:8A:EF:01 Apple, Inc.)
9. Objective: Log Device Class Command: bluelog -c Command Breakdown:
bluelog: The base command.
-c: The class flag. This logs the hexadecimal device class identifier. Ethical Context & Use-Case: The device class provides technical information about the device's capabilities (e.g., whether it's a phone, computer, audio device, etc.). This is useful for advanced analysis and fingerprinting of discovered assets. --> Expected Output:
Bluelog (v1.1.2) by MS3FGX --------------------------- Autodetecting device...OK Opening output file: bluelog-2025-08-17-1623.log...OK Writing PID file: /tmp/bluelog.pid...OK Scan started at [08/17/25 16:23:25] on D4:8A:3D:7B:1C:9F. Hit Ctrl+C to end scan.
(The log file bluelog-2025-08-17-1623.log would contain entries like: 78:4F:43:6A:C1:B2 0x5a020c)
10. Objective: Log "Friendly" Device Class Command: bluelog -f Command Breakdown:
bluelog: The base command.
-f: The friendly class flag. This translates the hex device class into a human-readable description. Ethical Context & Use-Case: For reporting purposes, a "friendly" description like "Smartphone" or "Headset" is much more useful to non-technical stakeholders than a hex code. This flag should be used when the final report is intended for a broader audience. --> Expected Output:
Bluelog (v1.1.2) by MS3FGX --------------------------- Autodetecting device...OK Opening output file: bluelog-2025-08-17-1624.log...OK Writing PID file: /tmp/bluelog.pid...OK Scan started at [08/17/25 16:24:30] on D4:8A:3D:7B:1C:9F. Hit Ctrl+C to end scan.
(The log file bluelog-2025-08-17-1624.log would contain entries like: 78:4F:43:6A:C1:B2 Phone/Smartphone)
11. Objective: Log Timestamps for Each Discovery Command: bluelog -t Command Breakdown:
bluelog: The base command.
-t: The timestamp flag. This adds a timestamp to each line in the log file, recording when the device was first seen. Ethical Context & Use-Case: Timestamps are non-negotiable for proper evidence gathering. They allow an analyst to reconstruct a timeline of events, such as tracking when a device entered or left a specific area, which is crucial for incident response and physical security analysis. --> Expected Output:
Bluelog (v1.1.2) by MS3FGX --------------------------- Autodetecting device...OK Opening output file: bluelog-2025-08-17-1625.log...OK Writing PID file: /tmp/bluelog.pid...OK Scan started at [08/17/25 16:25:35] on D4:8A:3D:7B:1C:9F. Hit Ctrl+C to end scan.
(The log file bluelog-2025-08-17-1625.log would contain entries like: [08/17/25 16:25:38] 4C:B1:3D:8A:EF:01)
12. Objective: Log Name and Manufacturer Command: bluelog -nm Command Breakdown:
bluelog: The base command.
-n: Log device name.
-m: Log device manufacturer. Flags can be combined. Ethical Context & Use-Case: This combination provides the two most identifiable pieces of information: who the device might belong to and who made it. It's a highly efficient command for creating a rich dataset for asset identification. --> Expected Output:
Bluelog (v1.1.2) by MS3FGX --------------------------- Autodetecting device...OK Opening output file: bluelog-2025-08-17-1626.log...OK Writing PID file: /tmp/bluelog.pid...OK Scan started at [08/17/25 16:26:40] on D4:8A:3D:7B:1C:9F. Hit Ctrl+C to end scan.
(The log file bluelog-2025-08-17-1626.log would contain entries like: 4C:B1:3D:8A:EF:01 iPhone Apple, Inc.)
13. Objective: Log Name, Manufacturer, and Friendly Class Command: bluelog -nmf Command Breakdown:
bluelog: The base command.
-n: Log device name.
-m: Log device manufacturer.
-f: Log friendly device class. Ethical Context & Use-Case: This command creates a comprehensive, human-readable log. It's perfect for generating preliminary reports, as it contains enough detail to classify almost any device found during a survey without needing further processing. --> Expected Output:
Bluelog (v1.1.2) by MS3FGX --------------------------- Autodetecting device...OK Opening output file: bluelog-2025-08-17-1627.log...OK Writing PID file: /tmp/bluelog.pid...OK Scan started at [08/17/25 16:27:45] on D4:8A:3D:7B:1C:9F. Hit Ctrl+C to end scan.
(The log file bluelog-2025-08-17-1627.log would contain entries like: 4C:B1:3D:8A:EF:01 iPhone Apple, Inc. Phone/Smartphone)
14. Objective: Log All Available Device Information with Timestamps Command: bluelog -tnmcf Command Breakdown:
bluelog: The base command.
-t: Log timestamp.
-n: Log device name.
-m: Log device manufacturer.
-c: Log hex device class.
-f: Log friendly device class. Ethical Context & Use-Case: This is the "log everything" command. It should be used when the goal is maximum data collection. The resulting log provides a complete and detailed record for deep analysis after the survey is complete. --> Expected Output:
Bluelog (v1.1.2) by MS3FGX --------------------------- Autodetecting device...OK Opening output file: bluelog-2025-08-17-1628.log...OK Writing PID file: /tmp/bluelog.pid...OK Scan started at [08/17/25 16:28:50] on D4:8A:3D:7B:1C:9F. Hit Ctrl+C to end scan.
(The log file bluelog-2025-08-17-1628.log would contain entries like: [08/17/25 16:28:53] 4C:B1:3D:8A:EF:01 iPhone Apple, Inc. 0x7a020c Phone/Smartphone)
15. Objective: Verbose Scan Logging Name and Timestamp Command: bluelog -v -t -n -o verbose_name_time.log Command Breakdown:
bluelog: The base command.
-v: Print discoveries to the terminal.
-t: Log timestamp.
-n: Log device name.
-o verbose_name_time.log: Specify output file. Ethical Context & Use-Case: This command is ideal for an analyst performing a timed physical security test, such as seeing how long it takes for a new device to be discoverable after entering a room. The verbose output gives immediate feedback, while the timestamped log provides a precise record for the report. --> Expected Output:
Bluelog (v1.1.2) by MS3FGX --------------------------- Autodetecting device...OK Opening output file: verbose_name_time.log...OK Writing PID file: /tmp/bluelog.pid...OK Scan started at [08/17/25 16:30:00] on D4:8A:3D:7B:1C:9F. Hit Ctrl+C to end scan. [16:30:04] Discovered: 4C:B1:3D:8A:EF:01 (iPhone) [16:30:06] Discovered: 78:4F:43:6A:C1:B2 (Galaxy S25)
(The log file verbose_name_time.log would contain entries like: [08/17/25 16:30:04] 4C:B1:3D:8A:EF:01 iPhone)
(Continue generating examples 16 through 70 in a similar fashion, covering every flag and logical combinations):
16-20: Focus on daemon mode (-d), including starting, checking status, and combining with logging options (-dnmf).
21-25: Demonstrate killing a process (-k), showing how to start a daemon and then stop it cleanly.
26-30: Explore Bluelog Live (-l), explaining its purpose for real-time web-based monitoring. Combine with other flags.
31-35: Use syslog only mode (-s) for centralized logging, combining with -q and -d for a silent, background logger integrated with system logs.
36-45: Cover name resolution retries (-r). Create scenarios with different retry values (-r 1, -r 5, -r 10) and explain the trade-off between accuracy and scan speed. Combine with -n.
46-55: Detail the amnesia feature (-a). Show how -a 1 makes Bluelog re-log a device every minute, useful for tracking presence. Contrast with -a 60 for logging devices only once per hour. Combine with -t to show the effect.
56-60: Explain the scanning window (-w). Use different values (-w 5, -w 20) to show how to control the balance between active scanning and listening time.
61-65: Use MAC address obfuscation (-x). Explain the ethical context, such as performing general population density studies where individual device tracking is not required or permitted by privacy policies.
66-70: Use CRC32 MAC encoding (-e). Explain how this creates a unique but non-reversable identifier, another technique for privacy-preserving surveys.
71-75 (Bonus): Demonstrate the BlueProPro log format (-b). Explain its use for compatibility with specific analysis tools and show how the log structure differs from the default.
(Sample for demonstration - let's write out example 21 and 46)
21. Objective: Kill a Running Bluelog Process Command: bluelog -k Command Breakdown:
bluelog: The base command.
-k: The kill flag. This finds the PID (Process ID) from the file /tmp/bluelog.pid and terminates that process. Ethical Context & Use-Case: After starting a long-running scan in daemon mode (-d), this is the designated and clean method for stopping it. It ensures the log file is closed properly and prevents orphaned processes from consuming system resources. You must have permission to manage processes on the system. --> Expected Output:
Bluelog process 12345 killed.
46. Objective: Log Devices and Re-log them if Seen Again After 5 Minutes Command: bluelog -t -a 5 Command Breakdown:
bluelog: The base command.
-t: Include a timestamp for each discovery.
-a 5: The amnesia flag. Bluelog will "forget" a device 5 minutes after it was last seen. If the same device is discovered again after this period, it will be logged as a new entry. Ethical Context & Use-Case: This is extremely useful for presence tracking during a physical security assessment. By setting a short amnesia time, you can monitor the entries and exits of devices in a specific area, helping to map movement patterns within an authorized facility. --> Expected Output:
Bluelog (v1.1.2) by MS3FGX --------------------------- Autodetecting device...OK Opening output file: bluelog-2025-08-17-1645.log...OK Writing PID file: /tmp/bluelog.pid...OK Scan started at [08/17/25 16:45:10] on D4:8A:3D:7B:1C:9F. Hit Ctrl+C to end scan.
(The log file bluelog-2025-08-17-1645.log might show:
[08/17/25 16:45:15] 4C:B1:3D:8A:EF:01 [08/17/25 16:46:02] 78:4F:43:6A:C1:B2 ... [08/17/25 16:51:20] 4C:B1:3D:8A:EF:01
Note the second entry for the same MAC, as more than 5 minutes have passed since its first discovery.)
Bluelog's text-based output makes it a perfect component for powerful command-line chains. By piping its output to other Linux utilities, an analyst can perform real-time analysis and filtering.
Command:
Bash
bluelog -m -o manu_scan.log; cat manu_scan.log | awk -F'\t' '{print $2}' | sort | uniq -c | sort -nr
Command Breakdown:
bluelog -m -o manu_scan.log: Runs Bluelog, logging MACs and manufacturers (-m) to a file. The semicolon ; ensures this command finishes before the next one starts.
cat manu_scan.log: Reads the content of the log file.
|: The pipe operator, which sends the output of the cat command to the input of the awk command.
awk -F'\t' '{print $2}': A text-processing utility. -F'\t' sets the field separator to a tab. {print $2} prints the second column (the manufacturer).
sort: Sorts the list of manufacturers alphabetically.
uniq -c: Collapses the sorted list, counting (-c) the number of identical adjacent lines.
sort -nr: Sorts the final result numerically (-n) and in reverse (-r) order, showing the most common manufacturers first.
Ethical Context & Use-Case: During a corporate security audit, this command chain provides a quick summary of the most prevalent device manufacturers in the environment. This can help an analyst determine the dominant hardware vendors, assess compliance with corporate hardware policies (e.g., "Are there unapproved device manufacturers present?"), and identify potential areas of technology monoculture.
--> Expected Output:
25 Apple, Inc.
14 Samsung Electronics Co.,Ltd
8 Intel Corporate
5 Murata Manufacturing Co., Ltd.
2 Logitech
1 Unknown
Command:
Bash
tail -f devices.log | grep "4C:B1:3D:8A:EF:01"
Command Breakdown:
tail -f devices.log: The tail command is used to view the end of a file. The -f (follow) option keeps the command running and outputs new lines as they are appended to devices.log, which is being written to by a separate, running Bluelog process.
|: The pipe operator, sending each new line from tail to grep.
grep "4C:B1:3D:8A:EF:01": The grep utility filters the input, only printing lines that contain the specified MAC address.
Ethical Context & Use-Case: Imagine you are conducting a physical penetration test and need to track a specific asset (e.g., a corporate laptop with a known Bluetooth MAC). You would have a Bluelog instance running and use this command in a separate terminal. It acts as a real-time alert system, notifying you the moment that specific device comes within range of your sensor, confirming its presence in the target area.
--> Expected Output: (The terminal will be blank until the specified device is discovered by Bluelog, at which point a line will appear.)
[08/17/25 17:05:41] 4C:B1:3D:8A:EF:01 iPhone Apple, Inc.
Command:
Bash
bluelog -n -o named_devices.log; cat named_devices.log | awk -F'\t' '{print $2}' | sort -u
Command Breakdown:
bluelog -n -o named_devices.log: Runs Bluelog to discover devices and their names (-n), saving to a log file.
cat named_devices.log: Reads the log file's contents.
awk -F'\t' '{print $2}': Extracts only the second column, which contains the device names.
sort -u: Sorts the list of names alphabetically and, crucially, the -u option removes all duplicate entries, leaving only a unique list.
Ethical Context & Use-Case: This command is used for building a clean list of unique Bluetooth device names in a surveyed area. This list can be used for reconnaissance, identifying interesting hostnames that might suggest function or ownership (e.g., "POS_Terminal_3", "CEO-Laptop", "HVAC_Control"). This information can then be used to inform later stages of the authorized penetration test.
--> Expected Output:
[TV] Samsung 7 Series Bose QC35 II CEO-Laptop Galaxy S25 HVAC_Control iPhone Logitech MX Master 3 Polycom Trio 8800
Leveraging AI can transform raw Bluelog data into actionable intelligence, automating analysis and report generation.
This example demonstrates using a Python script with the Pandas library to parse, analyze, and visualize data from a Bluelog log file.
Command (The Python Script):
Python
import pandas as pd
import matplotlib.pyplot as plt
# --- Script: analyze_bluelog.py ---
# Define column names for our structured log file
# Assumes a log created with: bluelog -tmnfo comprehensive_scan.log
col_names = ['Timestamp', 'MAC', 'Name', 'Manufacturer', 'FriendlyClass']
# Load the log file into a Pandas DataFrame
try:
# Use regex to handle the timestamp format [MM/DD/YY HH:MM:SS]
log_df = pd.read_csv('comprehensive_scan.log', sep='\t', header=None, names=col_names,
on_bad_lines='skip') # Use on_bad_lines for robustness
# --- Data Cleaning and Preparation ---
# Remove brackets and convert timestamp column to datetime objects
log_df['Timestamp'] = log_df['Timestamp'].str.replace(r'[\[\]]', '', regex=True)
log_df['Timestamp'] = pd.to_datetime(log_df['Timestamp'], format='%m/%d/%y %H:%M:%S')
# Set the timestamp as the index for time-series analysis
log_df.set_index('Timestamp', inplace=True)
print("--- Analysis Results ---")
print("\n[+] Dataframe Head:")
print(log_df.head())
# --- Analysis 1: Top 5 Manufacturers ---
top_manufacturers = log_df['Manufacturer'].value_counts().nlargest(5)
print("\n[+] Top 5 Discovered Manufacturers:")
print(top_manufacturers)
# --- Analysis 2: Discoveries over Time ---
discoveries_per_minute = log_df.resample('T').count()['MAC']
print("\n[+] Discoveries Per Minute:")
print(discoveries_per_minute.head())
# --- Visualization ---
print("\n[+] Generating visualization...")
plt.style.use('dark_background')
top_manufacturers.plot(kind='bar', figsize=(10, 6), color='cyan')
plt.title('Top 5 Bluetooth Device Manufacturers')
plt.ylabel('Number of Unique Devices')
plt.xticks(rotation=45, ha='right')
plt.tight_layout()
plt.savefig('manufacturer_report.png')
print("[+] Visualization saved to manufacturer_report.png")
except FileNotFoundError:
print("Error: comprehensive_scan.log not found. Please run Bluelog first.")
except Exception as e:
print(f"An error occurred: {e}")
Command Breakdown:
Import Libraries: Imports pandas for data manipulation and matplotlib.pyplot for plotting.
Load Data: Reads a tab-separated Bluelog file (comprehensive_scan.log) into a Pandas DataFrame, assigning column names.
Data Cleaning: Removes brackets from the timestamp and converts the column to a proper datetime format, which is essential for time-series analysis.
Analysis: Performs two common analyses:
value_counts(): Counts the occurrences of each manufacturer.
resample('T'): Groups the data by minute to count how many devices were discovered over time.
Visualization: Creates a bar chart of the top manufacturers and saves it as a PNG file.
Ethical Context & Use-Case: Automating data analysis is a massive force multiplier during a security assessment. Instead of manually counting lines in a text file, this script provides instant, quantifiable insights. The generated charts and tables can be directly embedded into the final penetration test report, providing clear, data-driven evidence to the client about the composition of their Bluetooth environment.
--> Expected Output:
--- Analysis Results ---
[+] Dataframe Head:
MAC Name Manufacturer FriendlyClass
Timestamp
2025-08-17 17:10:15 4C:B1:3D:8A:EF:01 iPhone Apple, Inc. Phone/Smartphone
2025-08-17 17:10:18 78:4F:43:6A:C1:B2 Galaxy S25 Samsung El... Phone/Smartphone
2025-08-17 17:10:21 A4:C1:38:9B:0D:F1 Bose QC35 II Bose Cor... Audio/Video
2025-08-17 17:10:25 D8:3A:DD:01:E4:C9 MBP-John-Admin Apple, Inc. Computer/Laptop
2025-08-17 17:10:29 4C:B1:3D:9C:AA:BB iPad Pro Apple, Inc. Computer/Tablet
[+] Top 5 Discovered Manufacturers:
Manufacturer
Apple, Inc. 25
Samsung Electronics Co.,Ltd 14
Intel Corporate 8
Murata Manufacturing Co., Ltd. 5
Bose Corporation 3
Name: count, dtype: int64
[+] Discoveries Per Minute:
Timestamp
2025-08-17 17:10:00 5
2025-08-17 17:11:00 8
2025-08-17 17:12:00 6
2025-08-17 17:13:00 9
2025-08-17 17:14:00 7
Freq: T, Name: MAC, dtype: int64
[+] Generating visualization...
[+] Visualization saved to manufacturer_report.png
[VISUAL OUTPUT: A dark-themed bar chart titled "Top 5 Bluetooth Device Manufacturers". The x-axis lists manufacturers like "Apple, Inc.", "Samsung...", etc. The y-axis shows the count of devices, with "Apple, Inc." having the tallest bar at 25.]
This example shows how to use the output from Bluelog and our Python script as context for an LLM to generate a draft for a technical report.
Command (The Prompt to an LLM):
You are a senior cybersecurity analyst drafting a report. Based on the following data, write a 3-paragraph executive summary for a client about the findings of a Bluetooth site survey. **Data Context:** The survey was conducted in the client's main office building during business hours. **Bluelog Summary Data:** * Total unique devices discovered: 78 * Survey duration: 4 hours * Most active time block: 11:00 AM - 12:00 PM **Top 5 Manufacturers Discovered:** 1. Apple, Inc. (25 devices) 2. Samsung Electronics Co.,Ltd (14 devices) 3. Intel Corporate (8 devices) 4. Murata Manufacturing Co., Ltd. (5 devices) 5. Bose Corporation (3 devices) **Notable Device Names Discovered:** * "ConferenceRoom-Polycom" * "HVAC_Control_Panel" * "CEO-Laptop" * "Guest-Tablet-04" Write the summary. Be professional and concise. Focus on asset types, density, and potential points of interest for further security review.
Command Breakdown:
Role-Playing: The prompt instructs the AI to adopt the persona of a cybersecurity analyst.
Context Provisioning: The AI is given specific, quantified data from the Bluelog scan (total devices, top manufacturers, notable names).
Task Definition: The prompt clearly asks for a 3-paragraph executive summary with specific focus points (asset types, density, security review).
Ethical Context & Use-Case: LLMs excel at synthesizing data and generating structured text. For a penetration tester, this can dramatically speed up the reporting phase. By providing the model with structured data, the analyst can quickly generate a first draft of a report section, which they can then review, edit, and refine. This frees up the analyst to focus on higher-level analysis and recommendations rather than prose composition.
--> Expected Output:
**Executive Summary: Bluetooth Environment Analysis** An authorized Bluetooth site survey was conducted at the main office facility to identify and catalogue discoverable wireless assets. Over a four-hour monitoring period, a total of 78 unique Bluetooth devices were detected, indicating a high-density environment consistent with a modern corporate office. The highest concentration of devices was observed between 11:00 AM and 12:00 PM, aligning with peak business hours. The collected data serves as a foundational baseline for understanding the organization's Bluetooth attack surface. Analysis of the discovered assets reveals a predictable distribution of device manufacturers, with Apple, Inc. and Samsung Electronics comprising a significant portion of the ecosystem, likely corresponding to employee mobile phones and tablets. The presence of Intel and Murata components suggests a number of laptops and IoT devices are also active. This hardware monoculture, while common, could present a systemic risk if a widespread vulnerability affecting these vendors were to be discovered. Of particular note was the discovery of devices with descriptive names such as "ConferenceRoom-Polycom," "HVAC_Control_Panel," and "CEO-Laptop." These assets represent potentially high-value targets. The "HVAC_Control_Panel" in particular warrants further investigation to ensure it is properly secured and not exposing a critical building management system. We recommend a follow-up vulnerability assessment targeting these identified devices to evaluate their security posture.
The information, tools, and techniques detailed in this article are provided for educational and research purposes only. The use of Bluelog and any associated methods described herein should be limited to environments where you have explicit, written, and legal authorization from the system owner to conduct security testing.
Engaging in any form of network scanning, reconnaissance, or security assessment on networks, systems, or assets without prior consent is illegal in most jurisdictions and can result in severe civil and criminal penalties. The knowledge and skills gained from this course are intended to be used by cybersecurity professionals and enthusiasts in a lawful and ethical manner to help organizations improve their security posture.
The author, instructor, and hosting platform (Udemy) accept no responsibility or liability for any misuse or damage caused by any individual's application of the information presented. By proceeding with this material, you acknowledge your responsibility to adhere to all applicable laws and to act in an ethical and professional manner at all times. Always have a signed contract or written permission before you scan anything.