I want to analyze 802.15.4 packet using wireshark. I am encapsulating 802.15.4 packet into udp and sending it to my pc. But anyhow I am unable to decode packet as a 802.15.4.
Does any know in what format I should send this packet so that wireshark can decode it easily. Is there any significance of ether type(809a) while sending in udp? This is my setup: Wireshark<-ethernet->My 802.15.4 hardwere.
Regards, Mahesh Sutariya
asked 15 May '12, 07:02
O.K. there is 802.15.4 beacon data in the UDP packet (bytes: 030806ffffffff070507).
However, I believe your UDP encapsulation is broken, as you only have the 802.15.4 data in the UDP packet (beacon frame), while you need it in the format of ZEP (ZigBee Encapsulation Protocol), for Wireshark to be able to dissect it. See packet-zep.c
Apparently, the ZEP header is missing in your UDP packet.
I was able to create two correct UDP encapsulated 802.15.4 packets with a HEX editor. See here:
Some sample from internet
SUMMARY: I believe the tool that did the UDP encapsulation did it wrong. It used the ZEP port, however it did not add the ZEP header (ZigBee Encapsulation Protocol) to the UDP packet. So, please check that tool.
To answer your question:
Please use ZEP (ZigBee Encapsulation Protocol).
answered 16 May '12, 09:15
Kurt Knochner ♦
edited 16 May '12, 11:15
I think that if the data is encapsulated in zep, then it is only decoded as zigbee. If you strip off the Ethernet->IP->UDP encapsulation and then set the encapsulation type to wpan it decodes cleanly. The sequence of editcap commands I used was:
The first line isolates the packets of interest, the second changes the encapsulation type an chops off the encapsulation bytes at the front of the packets and the third chops off the trailing encapsulation bytes. There might be a more efficient way to do this, but that's left as an exercise for the reader.
answered 16 May '12, 13:53
See the Wiki page on 802.15.4 here for more info.
answered 15 May '12, 07:21