• Author: Andrei-Octavian Bebu
• Email: andrei.bebu@stud.acs.upb.ro
• Master: SRIC

This project implements a BLE-based network monitoring and anomaly detection system using an ESP32 microcontroller and a Raspberry Pi. The ESP32 operates in promiscuous mode to passively sniff Wi-Fi traffic and transmits metadata via BLE to a Raspberry Pi, which further logs, processes, and analyzes the data using InfluxDB. The goal is to simulate a lightweight IDS/IPS-like solution capable of detecting suspicious activity in a home or lab network, such as DoS attempts, MAC spoofing, and out-of-hours access.

Optional integration with Home Assistant allows security alerts to be routed to multiple channels (e.g., email, mobile push) based on severity.

• *Block Diagram The ESP32 module is configured in promiscuous mode to capture 802.11 beacon and probe request frames. It collects metadata including MAC addresses, RSSI, and timestamps. These packets are periodically sent via BLE to a Raspberry Pi acting as a BLE server. The Pi parses incoming data, stores it in InfluxDB, and runs basic anomaly detection logic based on: * Ordered List ItemOut-of-hours activity * Ordered List ItemMAC spoofing attempts * Unordered List ItemDoS (denial-of-service)-like patterns * Weak RSSI signals possibly indicating distant attackers Alerts are generated based on thresholds and logged events. Higher severity events may trigger multi-channel notifications via Home Assistant integrations. ====== Hardware ====== <note tip>Hardware Components ESP32 DevKit (ESP-WROOM-32) Raspberry Pi 4B (or similar with BLE support) Breadboard, USB power supplies Optional: LEDs for visual status indication </note> Wiring: No complex wiring needed — communication is fully wireless (BLE). Physical Setup: The ESP32 is deployed in a fixed location within Wi-Fi range, while the Raspberry Pi operates as a static gateway and logging processor. ====== Software Design ====== <note tip>Key Software Tools Arduino IDE / PlatformIO (ESP32 firmware) BLEDevice.h, esp_wifi.h (ESP32 sniffing & BLE) BlueZ / Python-BLE / bleak (Raspberry Pi BLE server) InfluxDB 2.0 (time-series database) Home Assistant/Slack (optional) (for alert forwarding) </note> Workflow Description - ESP32 Initialization - Wi-Fi promiscuous mode activated - BLE client initialized - Packet Capture & Filtering - Capture beacon/probe packets - Extract MAC, RSSI, channel, and timestamp - Data Transmission - Periodic BLE packets sent to Raspberry Pi - Raspberry Pi Logging & Analysis - BLE server receives and parses incoming payloads - Data stored in InfluxDB - Python scripts apply rules to flag anomalies - Alerting using Slack/Home Assistans ====== Code Snippets ====== ESP32 BLE Sniffer Loop void sniffer_callback(void* buf, wifi_promiscuous_pkt_type_t type) { const wifi_promiscuous_pkt_t *pkt = (wifi_promiscuous_pkt_t *)buf; if (type == WIFI_PKT_MGMT) { int rssi = pkt→rx_ctrl.rssi; uint8_t *mac = pkt→payload + 10; if (rssi > RSSI_THRESHOLD) { Format payload sendBLE(mac, rssi, pkt→rx_ctrl.channel); } } } Raspberry Pi - BLE Receive Handler def on_ble_receive(data): mac, rssi, ch, ts = parse_payload(data) influx.write({ “measurement”: “wifi_activity”, “tags”: {“mac”: mac, “channel”: ch}, “fields”: {“rssi”: rssi}, “time”: ts }) check_anomalies(mac, rssi, ts) ====== Challenges ====== * BLE throughput is limited; batching or compression required * ESP32 promiscuous mode isn’t officially supported for all firmware versions * Managing BLE connections with stability on Pi (BlueZ had quirks) * Time sync and timestamping between devices * IDS logic is simplistic and rule-based, not ML-driven * Many false positives in noisy Wi-Fi environments ====== Limitations ====== * Range is limited by BLE and RSSI reliability * Not a true security-grade IDS, better suited for small networks or educational use * ESP32 can only sniff 2.4GHz band * Detection rules are hardcoded, not adaptive ====== References ====== * ESP32 BLE Docs * InfluxDB Python Client * PlatformIO for ESP32 * Home Assistant BLE Integrations