-
Notifications
You must be signed in to change notification settings - Fork 156
Sniffing Zigbee traffic
The standard NCP EZSP firmware has a sniffing mode integrated (if not being disabled during compilation).
It's not possible to use the sniffer mode if the NCP is active in one network (as a end device, router or coordinator.
EZSP 6.7.9.0 and earlier is also sniffing the IEEE 802.15.4 packages like Ack in the network layer but EZSP 6.8.0.0 and newer is filtering all fifteen for Ack so you cant see them and can being bad then looking for missed or corrupted packages.
Silabs also have implanting one bug in EZSP 6.8.0.0 stack that is not applying the correct checksum in the package frame and the last wireshark version is throwing all packages as faulty and its not working, but bellows have implanting one workaround by adding one recalculated checksum for V8 protocol devices then using the dump function.
Sibalbs have doing one ticket but if / then its being fixed we dont knowing.
Silabs WSTK kits (from 94$ Eth and USB) and Thunderboard Sense 2 (20$ USB) have integrated J-Link with PTI (Packet Trace Interface = the information that is coming from the radio and not what the Zigbee stack is seeing) that can being used for in deep analyse of sequences, missed packages, missed IEEE 802.15.4 Ack and faulty packages (need Silabs Simplicity Studio but no licence for Zigbee stack access). Its possible using this sniffing then the application is running on the chip as its using hardware linking of the radio signal out put and the chip / board CPU is not involved.
Wireshark and driver for the sniffer hardware (See EZSP 6.8.0.0 for new bug).
EZSP: Install the interface driver from com.zsmartsystems.zigbee.sniffer and start the Java app with your hardware parameters and it should pipe the traffic to Wireshark.
It's also possible to use bellows (for EM35X and EFR32 hardware) for sniffing with the option -dump and saving all traffic in one dump file that can be opened with Wireshark.
The last method is also working with network connected NCP's like Tuya ZBGW.
One note for people that like sniffing traffic from IKEA GW and other ZLL GWs.
It should be possible to calculate the Light Link Network Key from a sniffed Touch Link pairing, but the Zigbee (LL) standard has many different methods for encrypting the network key. I wasn't able to get the key yet this way.
But all ZLL GW shall have the possibility to do "classical pairing" aka Zigbee 3 / ZHA standard (by IKEA GW) by pressing the under hood pairing key on the GW for some seconds and sniffing the pairing as normal ZHA pairing. You can find the key if you have the right master key configuration in Wireshark (Wireshark said it was using the Philips HUE ZLL key in my case).