This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark to analyze 802.15.4 packet

0

Hi,

I want to analyze 802.15.4 packet using wireshark. I am encapsulating 802.15.4 packet into udp and sending it to my pc. But anyhow I am unable to decode packet as a 802.15.4.

Does any know in what format I should send this packet so that wireshark can decode it easily. Is there any significance of ether type(809a) while sending in udp? This is my setup: Wireshark<-ethernet->My 802.15.4 hardwere.

Regards, Mahesh Sutariya

asked 15 May '12, 07:02

maheshsutariya's gravatar image

maheshsutariya
6112
accept rate: 0%

Hi,

  1. did you enable IEEE 802.15.4 dissection (Analyze -> Enabled Protocols -> IEEE 802.15.4)?
  2. how did you create the encapsulating udp packet/header?
  3. can you see any data in the udp packet?
  4. can you post 3-4 packets on cloudshark.org for further analysis?

BTW: Here is an interesting article about 802.15.4 sniffing using a pipe.

http://freaklabs.org/index.php/Tutorials/Software/Feeding-the-Shark-Turning-the-Freakduino-into-a-Realtime-Wireless-Protocol-Analyzer-with-Wireshark.html

Regards
Kurt

(15 May '12, 07:47) Kurt Knochner ♦

Hi Kurt, I am using default wireshark and all the protocol including 802.15.4, Zep, 6Lowpan is enabled. I can see sent data in UDP packet I receive in wireshark, but they are not decoded.

I checked out that freaklabs article by akiba, I am not using any kind of piping, I am sending udp packet just like a syslog message from external Ethernet hardware to a normal Ethernet interface of my PC.

I am sending pcap capture on cloudshark.. please check it. I am sending beacon request to wireshark as provided in pcap capture on 802.15.4 wiki page to port 17754.

Regards, Mahesh

(15 May '12, 20:25) maheshsutariya

This is a capture url:http://cloudshark.org/captures/70714d83a585 apply this filter udp.port==17754

(15 May '12, 20:37) maheshsutariya

3 Answers:

0

O.K. there is 802.15.4 beacon data in the UDP packet (bytes: 030806ffffffff070507).

http://cloudshark.org/captures/70714d83a585

However, I believe your UDP encapsulation is broken, as you only have the 802.15.4 data in the UDP packet (beacon frame), while you need it in the format of ZEP (ZigBee Encapsulation Protocol), for Wireshark to be able to dissect it. See packet-zep.c

* ZEP Packets must be received in the following format:
* |UDP Header| ZEP Header |IEEE 802.15.4 Packet|
* | 8 bytes | 16/32 bytes | <= 127 bytes |

Apparently, the ZEP header is missing in your UDP packet.

I was able to create two correct UDP encapsulated 802.15.4 packets with a HEX editor. See here:

Beacon
http://cloudshark.org/captures/1e46dea88db0

Some sample from internet
http://cloudshark.org/captures/18efd3ef7114

SUMMARY: I believe the tool that did the UDP encapsulation did it wrong. It used the ZEP port, however it did not add the ZEP header (ZigBee Encapsulation Protocol) to the UDP packet. So, please check that tool.

To answer your question:

Does any know in what format I should send this packet so that wireshark can decode it easily.

Please use ZEP (ZigBee Encapsulation Protocol).

Regards
Kurt

answered 16 May '12, 09:15

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 16 May '12, 11:15

Hey I got it working.. We can send 802.15.4 packet in udp..

Kurt, you are right, we need to encapsulate 802.15.4 packet in ZEP to be detected by wireshark. check this capture to see 802.15.4/Zigbee/6LowPan packet received in wireshark http://cloudshark.org/captures/36822505d7ab

Anyway, I like cloud shark - How long this capture stay there.

I am using lwip to encapsulate 802.15.4 packet in udp..

For others, To analyze 802.15.4 in wireshark Just send Normal udp packet with a payload as [ZEPv2 Header(32 byte for data) + 802.15.4 packet] and send it to port 17754. Length in ZEP header must be set to length of 802.15.4 packet.

There is also other way to send 802.15.4 packet in Raw Ethernet frame without udp using magic packet header(0xa1b2c3d4) with DLT type of 195. not tried..many pipe lining example available for that..one is by akiba freaklabs as mentioned by kurt.

Regards, Mahesh Sutariya www.energycloud.co.in

(16 May '12, 21:51) maheshsutariya

I converted your answer to a comment (see FAQ of this site). It's easier for other to find the relevant information.

(17 May '12, 00:44) Kurt Knochner ♦

If you upload a capture anonymously, it will stay online until they delete it (possibly "forever"). However, I don't know their policy regarding deletion of public uploads.

(17 May '12, 00:55) Kurt Knochner ♦

1

I think that if the data is encapsulated in zep, then it is only decoded as zigbee. If you strip off the Ethernet->IP->UDP encapsulation and then set the encapsulation type to wpan it decodes cleanly. The sequence of editcap commands I used was:

editcap -r 802_15_4.pcap 802_14_4_1.pcap 5 9
editcap -T wpan C 42 802_15_4_1.pcap 802_15_4_2.pcap
editcap -C -8 802_5_4_2.pcap 802_15_4_3.pcap

The first line isolates the packets of interest, the second changes the encapsulation type an chops off the encapsulation bytes at the front of the packets and the third chops off the trailing encapsulation bytes. There might be a more efficient way to do this, but that's left as an exercise for the reader.

answered 16 May '12, 13:53

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

that's also possible.

Did you check the cloudshark samples? They were not decoded as zigbee, just as zigbee encapsulated. However, the rest looks O.K.

(16 May '12, 15:50) Kurt Knochner ♦

0

See the Wiki page on 802.15.4 here for more info.

answered 15 May '12, 07:21

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Hi Grahamb,

I came across that wiki page for 802.15.4 but does not much info on encapsulating protocol and about hardware side interface.

Regards, Mahesh

(15 May '12, 20:25) maheshsutariya

I don't think that Wireshark handles 802.15.4 encapsulated in udp. The dissector expects to see 802.15.4 as a top level protocol in the capture file.

(16 May '12, 05:26) grahamb ♦

also edited wiki 802.15.4 page for answer :)

(16 May '12, 22:25) maheshsutariya