Ask Your Question
0

Are there any chance for wireshark to determine 802.15.4 protocols incorrectly?

asked 2020-01-02 10:40:35 +0000

PktN00bie gravatar image

I recently got a device that claimed it's using Zigbee technology to transmit data and I was to do some testing on it. Problem is, when I tried sniffing the data transmitted, wireshark showed its protocol as LwMesh (LightWeight Mesh).

I did some research and apparently LwMesh also follow IEEE 802.15.4 for its PHY/MAC layer. Only that LwMesh lack some higher level features of Zigbee. Now we are having a debate about if this thing really should be treated as a Zigbee device. (Because the test items may differ.)

LwMesh and Zigbee are so similar to each other that we are afraid that it may be wireshark determining the protocol incorrectly.

Apart from the fact that this device does not get certified by Zigbee alliance, we need more evidence or proof to know if it really is using Zigbee or LwMesh as its network layer protocol.

I tried to look for a way to understand how wireshark tell apart protocols but to no avail. It seems like it's not by looking for some specific bytes or bits in a 802.15.4 frame. It will be really great if I can get more insight into how to determine packet protocol correctly.

This is the link to the pcap file we captured.
https://drive.google.com/open?id=1qKBxrdIVHSYbRr_cSd7QwFaEUNlEvZa4

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-01-02 15:49:24 +0000

grahamb gravatar image

It is possible, the lwmesh dissector uses a relatively weak heuristic when determining if 802.15.4 traffic is lwmesh.

Looking at your capture, the lwmesh dissector fails to dissect any of the traffic bar the frame control field, which is a single byte and will generally dissect anyway.

Unfortunately using "Decode As ..." to dissect the traffic as Zigbee doesn't improve matters. I also tried dissecting the traffic as 6LoWPAN and Zigbee Green Power without any improvement, so I'm not sure what type of traffic it is in your capture.

edit flag offensive delete link more

Comments

To add some details, this is the code which adds the LwMesh dissector heuristically to 802.15.4

It registers this heuristics function to determine if this is in fact LwMesh.

As Graham said, it's not very strong, so prone to false positives.

Jaap gravatar imageJaap ( 2020-01-02 17:41:57 +0000 )edit

Thanks for you guys' answer !
After I posted this question, we even get out hands on a PC with Ubiqua Packet Analyzer and did some capture & analysis on the traffic. It shows that at least till the NWK layer it is using Zigbee as its protocol, but with private Zigbee cluster.
Since the heuristic for lwmesh is weak, I guess it will be more proper to change my question into "Why didn't wireshark dissect these traffic as Zigbee"
Does this have anything to do with "the traffic bar the frame control field" graham is talking about?

PktN00bie gravatar imagePktN00bie ( 2020-01-03 16:14:01 +0000 )edit

My comment "the lwmesh dissector fails to dissect any of the traffic bar the frame control field" was meant to indicate that the traffic was mis-dissected as lwmesh due to the weak heuristic and could only dissect the first byte of data.

Wireshark won't automatically dissect traffic as ZigBee, you have to use "Decode As ...", again it uses heuristics to determine if the traffic is ZigBee. As I mentioned in my answer, I tried this for your capture and it didn't seem to dissect very well so might not have been ZigBee traffic, for example the "Sequence Number" in all the alleged ZigBee NWK layer packets is 0, this seems wrong.

How confident are you that the Ubiqua analyzer is correctly dissecting the traffic?

grahamb gravatar imagegrahamb ( 2020-01-03 17:27:45 +0000 )edit

@ grahamb
I had sniffed some traffic from Zigbee certified devices before and Wireshark did automatically dissect them as Zigbee traffic, so that's why I seemed like thinking Wireshark has the ability to automatically tell apart 802.15.4 protocols without user specifically choosing which protocol it should dissect as...

Ubiqua is recommended by Texas Instrument, stating that it is even better at analyzing 802.15.4 traffic then Wireshark does. So I guess the confidence level is high enough. ( Although I should admit that we are not really familiar with this tool. )

Thank you for providing the insight about "sequence number" being zero is wrong, it really provided a much clearer way for me to do further investigation and learning!

PktN00bie gravatar imagePktN00bie ( 2020-01-03 18:11:41 +0000 )edit

All the 802.15.4 subprotocols seem to use heuristics, and quite weak at that so it's a bit pot-luck as to what you get.

Can you dump the Ubiqua output in a text form for your capture so it can be compared with the Wireshark output and determine if the Wireshark dissector can be improved?

grahamb gravatar imagegrahamb ( 2020-01-03 19:03:41 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-01-02 10:40:35 +0000

Seen: 143 times

Last updated: Jan 02