top of page
ventetigenja

Cc2531 Wireshark Zigbee: Best Practices and Recommendations for Sniffing Zigbee Traffic



On Ubuntu / Debian start wireshark with sudo whsniff -c ZIGBEE_CHANNEL_NUMBER wireshark -k -i -. Note: Depending on your distro and installed packages, this may result in a broken pipe after some time. You will notice that Wireshark has stopped capturing, and attmpeting to resume by clicking the shark fin icon will present you with an error end of file on pipe magic during open, if this happens you may need to start with wireshark -k -i




Cc2531 Wireshark Zigbee



So cool! I have started to dive into possibly sniffing through the Entertainment Area/Sync zigbee commands and your work is the closest I have seen to making sense of this traffic. Have you continued your research into this? Thank you for what you have put out so far!


I'm getting started creating a Dissector for an IEEE 802.15.4 packet. I'm using the TI cc2531 dongle and the python script ccsniffpip to get data into Wireshark. So far so good as I can see the packets as raw 802.15.4 packets just fine. My problem is with dissecting the payload with my custom protocol. It seems that Wireshark is designed assuming that the 802.15.4 destination addresses significant in the sense that ports are intended to hint at what the packet type is. For 15.4 that is often just not the case. For 15.4 the destination is more akin to an IP address. I want to decode every 15.4 packet I see. In my case, I have my protocol hiding inside the "data" section of 15.4 packets with the first byte of the data indicating the packet type. I have no problem creating a simple Lua dissector to walk through things and build out some simple trees, but as fas as I can tell, I have to go in by hand in the GUI and tell the program to Decode As "MyProtocol" for each new destination address that becomes allocated by the master 15.4 device. My need to to make my dissector promiscuous to all 15.4 destination addresses. I've fond notes where dissector_add for_decode_as was exposed to Lua ( "Wireshark-commits: [Wireshark-commits] master 016769d: Expose dissector_add_for_decode_as() to Lua"), but I can't find any examples on how to use it in Lua for 15.4.


Originally I used ccsniffpiper (and the tools I built it from), and wrote dissectors in LUA which I loaded into Wireshark. However, I found that this process was slow and tedious for a number of reasons (doing the LUA dissectors was tricky, loading them into wireshark was not always straight-forward, and using Python was faster overall).


Reaching out to the community, I learned that another dongle existed known as the ApiMote, and it also came pre-installed with the Killerbee framework. I also found out that it was available through the Attify Store ( -store.com/products/apimote-for-zigbee-sniffing-and-transmission) for $149. This transceiver dongle is also capable of packet injection!


Navigate to C:\Program Files (x86)\Texas Instruments\SmartRF Tools\ SmartRF Packet Sniffer 2\wireshark\plugins\2.4.x\ and copy ti802154ge-x64-2x.dll and tirpi-x64-2x.dll to C:\Program Files\Wireshark\plugins\2.4.3\


Before starting Wireshark on Ubuntu Linux, configure user permissions for Wireshark if necessary. Installing Wireshark should create a wireshark user group. Only users belonging to that group can capture from network interfaces.


Issue: "Couldn't run /usr/bin/dumpcap in child process: Permission denied." Solution: Add the correct USER to wireshark group. Log out and log in again. New user group settings should apply.


Exécuter le logiciel Flash Programmer, dans la section Flash image, sélectionnez le fichier sniffer_fw_cc2531.hex dans le répertoire C:\Program Files (x86)\Texas Instruments\SmartRF Tools\Packet Sniffer\bin\general\firmware\Cliquer sur Perform actions


Liens utiles : -ca-soi-meme.fr/domotique/2017/02/27/hack-xiaomi-mi-smart-temperature-and-humidity-sensor/ -diamond.com/MISC/MISC-086/Tout-tout-tout-vous-saurez-tout-sur-le-ZigBee -sniffer/ _tos/how_to_sniff_zigbee_traffic.html -to-use-cc2531emk-and-wireshark-as.html 2ff7e9595c


0 views0 comments

Recent Posts

See All

Comments


bottom of page