Random MAC address flag location in bluetooth packet?

Question

I am analysing .pcap files containing Bluetooth traffic.

I am trying to find a flag that is set which ensures that the Bluetooth MAC address of a device is random and/or changes.

I have seen parts of the packets such as this:

.0.. .... = Randomized Tx Address: False

But haven't been able to find much more information on what this does.

Can anyone help?

Answer 1

BR/EDR can only use IEEE-allocated device addresses, they are called "public" addresses. LE introduced another class of addresses, "random" addresses. They are both 48-bit. LE can use both, see Vol 6, Part B, 1.3.

In the space of random addresses, there is another subdivision in three groups:

• static addresses (non-IEEE allocated address, not guaranteed to be unique, but statistically non-colliding),
• non-resolvable private addresses (ephemeral address you cannot identify a device with),
• resolvable private addresses (ephemeral address that can identify a device only for people that have access to a key called IRK).

This enables the privacy features of BLE.

In places where a device address is used in LE, there is always a one-bit field accompagnying a device address for specifying whether address is to be interpreted as a "public" or a "random" address.

Your expert from wireshark seems to come from a LE advertisement packet header, see Vol 6, Part B, 2.3 for packet details.