can't get ZCL cluster id with LUA dissector

asked 2020-06-23 10:38:58 +0000

cekong123@163.com gravatar image

updated 2020-06-23 12:56:25 +0000

grahamb gravatar image

I have specific data in the payload of a ZCL message, for which I want the (decoded) data to be shown in the packet detail pane.

My dissector as follow:

-- create a new dissector
local NAME = "LM_FCC0"
local CID = 0xFCC0
local LM_FCC0 = Proto(NAME, "lm 0xFCC0 Protocol")

-- dissect packet
function LM_FCC0.dissector (tvb, pinfo, tree)
  pinfo.cols.protocol = LM_FCC0.name
  pinfo.cols.info:prepend_text(" LM Info")enter code here

  local subtree = tree:add(LM_FCC0, tvb())
  length = tvb:len()
  subtree:append_text(", length:" .. length)
end

DissectorTable.get("zbee.zcl.cluster"):add(CID, LM_FCC0)

when I loaded the dissector, I can find it in the View -> Internals -> Dissector Tables, but the dissector isn't work.

Somebody please guide me what is my mistake?

//modify+++++++++++++++++

the attachment is my sniffer log. you can find the 0xFCC0 in the 642 line

I can't upload the attachment. I put the attachment on GitHub. The depositary address is as follows: https://github.com/Huihh/problem

edit retag flag offensive close merge delete

Comments

Are you sure the CID value is correct for your traffic? Can you share a sample capture?

grahamb gravatar imagegrahamb ( 2020-06-23 11:00:06 +0000 )edit

The ZigBee traffic is encrypted so without the keying info there's not much to look at.

grahamb gravatar imagegrahamb ( 2020-06-23 13:07:19 +0000 )edit

sorry,nwkKey is : 56:E3:CC:61:B2:8F:88:ED:CE:FB:04:39:AA:27:40:45

cekong123@163.com gravatar image[email protected] ( 2020-06-23 14:44:45 +0000 )edit

sorry, the capture is converted by uibiqua,The data is encrypted on another computer in here.

I will capture it tomorrow using wireshark.

Thank you for you reply.

cekong123@163.com gravatar image[email protected] ( 2020-06-23 15:04:15 +0000 )edit

Hi grahamb,

This problem may not be caused by encryption. I used wireshark to re-capture a new sample capture, it isn't work.

the files(packetNum232_0xFCC0_20200624.pcapng and packetNum232_0xFCC0_PacketInfo.pdf) has been updated to github.

If you are free, can you help me to check it?

thx

cekong123@163.com gravatar image[email protected] ( 2020-06-24 06:15:09 +0000 )edit

Your key worked so I can see the decrypted traffic. As I'm unfamiliar with Zigbee I'm having to work may way through the code.

I'm uncertain about the CID value being used to register in the zbee.zcl.cluster table. This is a 16 bit unsigned integer and, according to the MACRO used in the zcl dissector, is formed from the cluster id and the manufacturer code:

#define ZCL_CLUSTER_MFR_KEY(cluster_id,mfr_code)    (((mfr_code)<<16) | (cluster_id))

I can't find where the two values (mfr_code and cluster_id) come from. Another concern is that the macro shifts the mfr_code 16 bits to the left, but the table index is only 16 bits.

grahamb gravatar imagegrahamb ( 2020-06-24 08:12:39 +0000 )edit

In the zigbee specification: If it is a standard cluster, the manufacturer code field does not appear in the data frame. If it is a manufacturer-defined cluster, the manufacturer code field will appear in the data frame.

Among them, the type of manufacturer code and CID are Uint16, and the manufacturer code and CID can specify a unique data service channel

Currently I am modifying the value of CID in the LUA dissector to 0x0000 (Basic Cluster Id of zigbee), the new dissector still does not work (Basic Cluster data on line 211 in the new sample capture still cannot be re-parsed)

cekong123@163.com gravatar image[email protected] ( 2020-06-24 11:19:47 +0000 )edit
see more comments