Hi, I want to analyze 802.15.4 packet using wireshark. I am encapsulating 802.15.4 packet into udp and sending it to my pc. But anyhow I am unable to decode packet as a 802.15.4. Does any know in what format I should send this packet so that wireshark can decode it easily. Is there any significance of ether type(809a) while sending in udp? This is my setup: Wireshark<-ethernet->My 802.15.4 hardwere. Regards, Mahesh Sutariya asked 15 May '12, 07:02 maheshsutariya |
3 Answers:
O.K. there is 802.15.4 beacon data in the UDP packet (bytes: 030806ffffffff070507).
However, I believe your UDP encapsulation is broken, as you only have the 802.15.4 data in the UDP packet (beacon frame), while you need it in the format of ZEP (ZigBee Encapsulation Protocol), for Wireshark to be able to dissect it. See packet-zep.c
Apparently, the ZEP header is missing in your UDP packet. I was able to create two correct UDP encapsulated 802.15.4 packets with a HEX editor. See here: Beacon Some sample from internet SUMMARY: I believe the tool that did the UDP encapsulation did it wrong. It used the ZEP port, however it did not add the ZEP header (ZigBee Encapsulation Protocol) to the UDP packet. So, please check that tool. To answer your question:
Please use ZEP (ZigBee Encapsulation Protocol). Regards answered 16 May '12, 09:15 Kurt Knochner ♦ edited 16 May '12, 11:15 Hey I got it working.. We can send 802.15.4 packet in udp.. Kurt, you are right, we need to encapsulate 802.15.4 packet in ZEP to be detected by wireshark. check this capture to see 802.15.4/Zigbee/6LowPan packet received in wireshark http://cloudshark.org/captures/36822505d7ab Anyway, I like cloud shark - How long this capture stay there. I am using lwip to encapsulate 802.15.4 packet in udp.. For others, To analyze 802.15.4 in wireshark Just send Normal udp packet with a payload as [ZEPv2 Header(32 byte for data) + 802.15.4 packet] and send it to port 17754. Length in ZEP header must be set to length of 802.15.4 packet. There is also other way to send 802.15.4 packet in Raw Ethernet frame without udp using magic packet header(0xa1b2c3d4) with DLT type of 195. not tried..many pipe lining example available for that..one is by akiba freaklabs as mentioned by kurt. Regards, Mahesh Sutariya www.energycloud.co.in (16 May '12, 21:51) maheshsutariya I converted your answer to a comment (see FAQ of this site). It's easier for other to find the relevant information. (17 May '12, 00:44) Kurt Knochner ♦ If you upload a capture anonymously, it will stay online until they delete it (possibly "forever"). However, I don't know their policy regarding deletion of public uploads. (17 May '12, 00:55) Kurt Knochner ♦ |
I think that if the data is encapsulated in zep, then it is only decoded as zigbee. If you strip off the Ethernet->IP->UDP encapsulation and then set the encapsulation type to wpan it decodes cleanly. The sequence of editcap commands I used was:
The first line isolates the packets of interest, the second changes the encapsulation type an chops off the encapsulation bytes at the front of the packets and the third chops off the trailing encapsulation bytes. There might be a more efficient way to do this, but that's left as an exercise for the reader. answered 16 May '12, 13:53 grahamb ♦ that's also possible. Did you check the cloudshark samples? They were not decoded as zigbee, just as zigbee encapsulated. However, the rest looks O.K. (16 May '12, 15:50) Kurt Knochner ♦ |
See the Wiki page on 802.15.4 here for more info. answered 15 May '12, 07:21 grahamb ♦ Hi Grahamb, I came across that wiki page for 802.15.4 but does not much info on encapsulating protocol and about hardware side interface. Regards, Mahesh (15 May '12, 20:25) maheshsutariya I don't think that Wireshark handles 802.15.4 encapsulated in udp. The dissector expects to see 802.15.4 as a top level protocol in the capture file. (16 May '12, 05:26) grahamb ♦ also edited wiki 802.15.4 page for answer :) (16 May '12, 22:25) maheshsutariya |
Hi,
BTW: Here is an interesting article about 802.15.4 sniffing using a pipe.
Regards
Kurt
Hi Kurt, I am using default wireshark and all the protocol including 802.15.4, Zep, 6Lowpan is enabled. I can see sent data in UDP packet I receive in wireshark, but they are not decoded.
I checked out that freaklabs article by akiba, I am not using any kind of piping, I am sending udp packet just like a syslog message from external Ethernet hardware to a normal Ethernet interface of my PC.
I am sending pcap capture on cloudshark.. please check it. I am sending beacon request to wireshark as provided in pcap capture on 802.15.4 wiki page to port 17754.
Regards, Mahesh
This is a capture url:http://cloudshark.org/captures/70714d83a585 apply this filter udp.port==17754