This README documents how I was able to use wireshark to sniff Zigbee packets using a FreakLabs FreakUSB 2.4 GHz dongle.
I mostly followed the directions on this blog post but I had to make some changes.
Environment:
- Ubuntu 18.04 LTS
- Wireshark 2.4.5
- Arduino 1.8.5 (since that was the version used in the FreakLabs tutorial)
- FreakUSB 2.4 GHz dongle + 3 dBi Antenna (the Freakduino 128P 2.4 GHz board should work just as well).
I followed the Installing the chibiArduino Library & FreakLabs Board Files video after installing Arduino 1.8.5.
I modified the arduino chibi_ex09_wsbridge slightly to add selecting a channel. This should match the channel chosen by the Zigbee controller. You can find my modified version here.
For the mozilla-iot project, the channel number is printed to the log file when the zigbee adapter is started. You should see something like the following:
2018-05-25 12:35:06.190 zigbee: Device Type: 0x3000c - XStick
2018-05-25 12:35:06.190 zigbee: Network Address: 0013a20040a3b8a9 0000
2018-05-25 12:35:06.190 zigbee: Node Identifier: Master
2018-05-25 12:35:06.190 zigbee: Configured PAN Id: ce20cf885305ef53
2018-05-25 12:35:06.191 zigbee: Operating PAN Id: ce20cf885305ef53 599d
2018-05-25 12:35:06.191 zigbee: Operating Channel: 20
2018-05-25 12:35:06.191 zigbee: Channel Scan Mask: 1ffe
2018-05-25 12:35:06.191 zigbee: Join Time: 0
2018-05-25 12:35:06.191 zigbee: Remaining Children: 10
2018-05-25 12:35:06.191 zigbee: Stack Profile: 2
2018-05-25 12:35:06.191 zigbee: API Options: 1
2018-05-25 12:35:06.191 zigbee: Encryption Enabled: 1
2018-05-25 12:35:06.191 zigbee: Encryption Options: 2
The Operating Channel:
(which is 20 in the example above) is the channel you need to set.
The wsbridge program has a serious flaw in the linux version. It winds up stripping the high bit off of every byte received over the serial port. I put a corrected version here
In order to decode the Zigbee packets, you need to set the Trust Center Link
key in wireshark.
- Choose Edit->Preferences
- Click the tippy triangle beside
Protocols
and scroll down toZigbee
and click on it. - Select
AES Encryption, 32-bit Integrity Protection
for Security Level (it was already selected for me). - Click on
Edit
for thePre-configured keys
- Click on
+
(lower left) - Enter "ZigBeeAlliance09" (with the quotes) into the key field. Note the capital B in ZigBee.
- A byte order of
Normal
is fine. - I entered
Trust Center Link Key
as the label (this is optional) - Click
Ok
Enable the Zigbee protocols.
- Choose Ananlyze->Enabled Protocols
- Click on
Disable All
- Enable
IEEE 802.15.4
- Enable all of the protocols which start with
ZCL
- Enable all of the protocols which start with
ZigBee
- Click
Ok
For the version of wireshark I was using (2.4.5), adding the /tmp/wireshark pipe interface didn't match up with the screen shots. This is how I did it:
- Start wsbridge (this will create the /tmp/wireshark named pipe).
- Choose Capture->Options and click on the
Manage Interfaces
button (bottom right) - Click on the
Pipes
tab. - Click on the
+
in the bottom left - Make sure that you've already started wsbridge and that the /tmp/wireshark named pipe exists, otherwise wireshark won't save anything.
- Double click on the
New Pipe
text and type in/tmp/wireshark
and press RETURN. - Click OK
- If you sroll to the bottom of the list in the
Input
tab you should see the /tmp/wireshark entry. - select it and click
Ok
In order to properly decode the packets, wireshark needs to see the key exchange which occurs when you pair a device. So if your device
already paired, then unpair it and repair it so that wireshark can pick up the key (which is different from the ZigBeeAlliance09
key referred to above).
Here's a screenshot showing an exchange between the Mozilla IOT gateway and a phillips Hue bulb: