Zigbee Packet Sniffer-Cheap &Works


#21

Just ordered one from Amazon. Thanks for the recommendation.


#22

Oh no - it was a joke! I've got that CC2531 on the way, and will make it work one way or another.

But thank you!


#23

Vee
Everyone is eager to have the Xiaomi devices working flawless. :wink:


#24

I can't try it out yet, but my research on a solution for getting packets from the CC2531 sniffer to Wireshark for decryption decoding keeps turning up an open source custom firmware + Windows or Ubuntu client solution called ZBOSS Sniffer. It requires some initial setup in Wireshark, but apparently should do the trick. The only downside is that it seems it hasn't been updated since it was released in 2013.

If you have a Mac, there's also a Python based solution called ccsniffpiper here. The main advantage of this solution is that it works with the original TI firmware for the CC2531, and just creates a pipe that makes the packets available to Wireshark. I plan on trying this solution first when I receive my CC2531. I plan to try this solution if the new TI sniffer software doesn't do the trick.

I found reference to ccsniffpiper in a very informative PDF document explaining how to set up and use Wireshark up to do ZigBee sniffing.

EDIT - I should have just looked at the information on TI's download page for the new version of their SmartRF Packet Sniffer software. It states that the software includes "Dissectors for Wireshark" and that it "uses Wireshark for packet display and filtering". Further down the page, the CC2531 USB Dongle is listed as supported for ZigBee protocol sniffing. So I'll try this solution first!


#25

For those of you that ordered two hubs and have a spare husbzb-1 stick, it looks like you can sniff with that as well.

I just had some success using this library: GitHub - zsmartsystems/com.zsmartsystems.zigbee.sniffer: ZigBee sniffer using Ember NCP and routing packets to Wireshark for display

Theres a compiled jar at the bottom and a pdf to add your network keys (I grabbed the network key using their other zsmartsystems console library and the console command ncpsecuritystate)

java -jar ZigBeeSniffer.jar -port COM14 -baud 57600 -flow hardware -c 14 -w test.pcap


#26

CC2531 from Banggood arrived today, earlier than expected. The link I used to download the SmartRF packet sniffer software didn't include the 64bit Windows 10 Cebal drivers; they are available here: [Resolved] CC debugger driver on windows 10 (64-bit) - Other wireless technologies forum - Other wireless - TI E2E Community

Look for the link to the zip file in the green outlined box on that page; they can be extracted and used to manually install from Windows Device Manager.


#27

I give you full credit for bringing Xiaomi device discussion to top trending subject on this forum! :+1:


#28

:joy::rofl::joy::rofl:


#29

My CC2531 arrived today and I had a quick play

As @guyeeba mentioned above, it doesn't seem to be supported by the TI SmartRF Packet Sniffer 2 software (which outputs to Wireshark) but works with the orginal SmartRF Packet Sniffer software (which is a bit rubbish).

I found this though - Sun May Sky: How to use CC2531EMK and Wireshark as Zigbee sniffer.

And it seems to work ... in as much as I can get data flowing into Wireshark using it.

@guyeeba does this mean your tool isn't needed? Also, do you have any hints on getting the decoding side working with security keys etc?


#30

In case you managed to route the zigbee packets to wireshark, then... no, my tool is for ppl who has to live with the legacy Packet Sniffer (like me).

The keys have to be set in Wireshark in Edit/Preferences/Protocols/Zigbee/Pre-Configured Keys dialog (Security level has to be "AES-128 Encryption, 32-bit Integrity Protection".

The first key you need is the Trust Center Key, which is 5A:69:67:42:65:65:41:6C:6C:69:61:6E:63:65:30:39 (Normal byte order).

Then you have to start capturing, and join a new device to the network. In the capture, you'll find a frame where the coordinator sends the network key to the new member of the network (wireshark points to this frame in every decrypted frame's security header in case you don't want to find it manually). You have to add this key to the Pre-Configured Keys list. Wireshark recognizes and uses these keys automatically, but only for the scope of one capture, so it's advised to add all your network keys to the list, so they'll be remembered permanently. :slight_smile:

At the end of the day you'll have a list of keys for all your networks, chosen and used automatically by wireshark, similar to this one:
image

...or at least this is how I remember, but the process is probably quite similar to this one. :slight_smile: But feel free to ask if I forgot something...


#31

Thanks for the pointers, will give that a go later on today :slight_smile:

Yes I was the same ... my CC2531 only worked with the legacy Packet Sniffer ..... but following that link above and it seems to be working with the "TI Wireshark Packet Converter" directly into Wireshark now, so I think it should work for you too?


#32

My CC2531 has no headers to connect it to a CC debugger, so these solutions are not working for me...

...but I had nothing to lose, so I tried it with the stick's original firmware...

...and it's working flawlessly. :slight_smile:

It seems I've always had the sniffer firmware installed. But back in my time this packet converter was probably hidden from google, that's why I decided to make one for myself.

Thanks for convincing me to give it a try! :+1:


#33

Great to hear. I'm hoping all y'all "smarter than me" folks will find it valuable and help us gain better zigbee stability.


#34

No problem, glad it's working for you!

I got my network key earlier today and now just need to get some time with the protocol to understand it more.

One thing I did ask the Wireshark guys was whether they could extend their MAC address lookup via the ethers file to work with 64-bit MAC addresses, as that would allow you to provide a map file to resolve the MAC address to real device names, which would be really useful.

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15487