BLE Packet Structure Reference
Comprehensive reference for Bluetooth Low Energy packet formats — advertising PDU layout, AD structure encoding, common AD type codes, and GATT/ATT protocol opcodes.
Advertising PDU Structure
Every BLE advertising packet on the physical layer follows this structure. The access address 0x8E89BED6 is fixed for all advertising channel PDUs.
| Field | Size | Description |
|---|---|---|
Preamble | 1 byte | 0xAA — alternating bits for receiver synchronization |
Access Address | 4 bytes | 0x8E89BED6 — fixed for advertising channels |
PDU Header | 2 bytes | PDU type, TxAdd, RxAdd, payload length |
Payload | 6–37 bytes | AdvA (6B advertiser address) + AdvData (0–31B) |
CRC | 3 bytes | 24-bit CRC over Header + Payload |
Example on-air bytes
AA D6BE898E 4006 B4994C64E1F8 0201061106... A3B2C1 Preamble Access Addr PDU Header Payload CRC
PDU Header Format
The 2-byte PDU header encodes the advertising type, address flags, and payload length.
| Bits | Field | Description |
|---|---|---|
| 0–3 | PDU Type | Advertising PDU type (see values below) |
| 4–5 | RFU | Reserved for future use |
| 6 | TxAdd | 0 = public address, 1 = random address |
| 7 | RxAdd | 0 = public address, 1 = random address |
| 8–13 | Length | Payload length in bytes (6–37) |
| 14–15 | RFU | Reserved for future use |
PDU Type Values
| Value | Name | Description |
|---|---|---|
| 0000 | ADV_IND | Connectable undirected advertising |
| 0001 | ADV_DIRECT_IND | Connectable directed advertising |
| 0010 | ADV_NONCONN_IND | Non-connectable undirected advertising |
| 0011 | SCAN_REQ | Scan request from scanner |
| 0100 | SCAN_RSP | Scan response from advertiser |
| 0101 | CONNECT_IND | Connection request |
| 0110 | ADV_SCAN_IND | Scannable undirected advertising |
AD Structure Format
The advertising data (AdvData) portion of the payload consists of one or more AD structures, each using Length-Type-Value encoding.
| Field | Size | Description |
|---|---|---|
Length | 1 byte | Number of bytes that follow (Type + Data) |
AD Type | 1 byte | Data type identifier (see table below) |
AD Data | Length−1 bytes | Type-specific payload data |
Example AD structure
Length = 2 Type = 0x01 (Flags) Data = 0x06 (LE General + BR/EDR Not Supported)
Multiple AD structures are concatenated. For example, 02 01 06 07 09 41 69 72 42 4C 45 contains two structures: Flags (0x06) and Complete Local Name ("AirBLE").
Common AD Type Codes
These are the most frequently encountered AD type codes in BLE advertising data, as defined by the Bluetooth SIG.
| Code | Name | Description |
|---|---|---|
| 0x01 | Flags | Discoverable mode, BR/EDR support flags |
| 0x02 | Incomplete 16-bit Service UUIDs | Partial list of 16-bit service class UUIDs |
| 0x03 | Complete 16-bit Service UUIDs | Complete list of 16-bit service class UUIDs |
| 0x04 | Incomplete 32-bit Service UUIDs | Partial list of 32-bit service class UUIDs |
| 0x05 | Complete 32-bit Service UUIDs | Complete list of 32-bit service class UUIDs |
| 0x06 | Incomplete 128-bit Service UUIDs | Partial list of 128-bit service class UUIDs |
| 0x07 | Complete 128-bit Service UUIDs | Complete list of 128-bit service class UUIDs |
| 0x08 | Shortened Local Name | Shortened UTF-8 device name |
| 0x09 | Complete Local Name | Complete UTF-8 device name |
| 0x0A | TX Power Level | Transmit power level, signed int8 in dBm |
| 0x0D | Class of Device | Class of Device field (3 bytes) |
| 0x14 | List of 16-bit Service Solicitation UUIDs | UUIDs the device is looking for |
| 0x16 | Service Data — 16-bit UUID | 16-bit UUID (2B LE) + service-specific data |
| 0x19 | Appearance | 16-bit appearance value (device icon hint) |
| 0x1F | List of 32-bit Service Solicitation UUIDs | 32-bit UUIDs the device is looking for |
| 0x20 | Service Data — 32-bit UUID | 32-bit UUID (4B LE) + service-specific data |
| 0x21 | Service Data — 128-bit UUID | 128-bit UUID (16B LE) + service-specific data |
| 0xFF | Manufacturer Specific Data | Company ID (2B LE) + manufacturer payload |
GATT/ATT Protocol
After a BLE connection is established, data exchange uses the Attribute Protocol (ATT). Each ATT PDU begins with a 1-byte opcode followed by operation-specific parameters.
| Field | Size | Description |
|---|---|---|
Opcode | 1 byte | ATT operation code (includes auth flag in bit 6, command flag in bit 7) |
Parameters | variable | Operation-specific data fields |
Common ATT Opcodes
| Opcode | Name | Description |
|---|---|---|
| 0x01 | Error Response | Server reports an error for a prior request |
| 0x02 | Exchange MTU Request | Client requests a larger MTU size |
| 0x03 | Exchange MTU Response | Server replies with supported MTU |
| 0x04 | Find Information Request | Discover attribute handles and types (descriptors) |
| 0x05 | Find Information Response | Returns handle-UUID pairs |
| 0x08 | Read By Type Request | Read characteristics by UUID within handle range |
| 0x09 | Read By Type Response | Returns matching attribute values |
| 0x0A | Read Request | Read an attribute value by handle |
| 0x0B | Read Response | Returns the requested attribute value |
| 0x10 | Read By Group Type Request | Discover services (primary/secondary) |
| 0x11 | Read By Group Type Response | Returns service handle ranges and UUIDs |
| 0x12 | Write Request | Write an attribute value (with confirmation) |
| 0x13 | Write Response | Server confirms the write succeeded |
| 0x1B | Handle Value Notification | Server pushes value update (no confirmation) |
| 0x1D | Handle Value Indication | Server pushes value update (requires confirmation) |
| 0x1E | Handle Value Confirmation | Client confirms receipt of indication |
| 0x52 | Write Command | Write without response (fire-and-forget) |