zigbee zcl payload field Sample Start Time doe not get decoded

asked 2025-04-17 11:49:02 +0000

marlon gravatar image

updated 2025-04-18 07:36:07 +0000

grahamb gravatar image

The payload field Sample Start Time for Zigbee pkt GetSampedData (ZCL metering cluster) is reported as Not representable but actually the value is valid (seconds since year 2000 little endian)

Extract of incriminated pkt below:

Frame 7220: 126 bytes on wire (1008 bits), 126 bytes captured (1008 bits) on interface \\.\pipe\tiwspc_data, id 0
Internet Protocol Version 4, Src: 192.168.1.3, Dst: 192.168.1.3 
User Datagram Protocol, Src Port: 17754, Dst Port: 17754 
ZigBee Encapsulation Protocol, Channel: 13, Length: 66
IEEE 802.15.4 Data, Src: 0xd0d9, Dst: 0x0000
ZigBee Network Layer Data, Dst: 0xdd37, Src: 0xd0d9
ZigBee Application Support Layer Data, Dst Endpt: 1, Src Endpt: 1

    ZigBee Cluster Library Frame
    Frame Control Field: Cluster-specific (0x01)
    Sequence Number: 124
    Command: Get Sampled Data (0x08)
    Payload
        Sample ID: 0
        Sample Start Time: Not representable
        Sample Type: 0
        Number of Samples: 8

ZCL Frame --> 01 7c 08 00 00 08 27 92 2f 00 08 00

Would expect Sample Start Time to show -> 16/04/2025 08:30:00

How can I get the pkt decoded properly?

Wireshark Version 4.4.5 (v4.4.5-0-g47253bcf3773)

edit retag flag offensive close merge delete

Comments

Can you provide a sample capture or at least a hex dump of the entire frame.

Chuckc gravatar imageChuckc ( 2025-04-17 22:11:43 +0000 )edit

I do not have enough points to upload a file.

Here it is the all frame hex dump of for a ZCL GetSampledData pkt

0000   45 00 00 7e 00 00 00 00 80 11 b7 18 c0 a8 01 03
0010   c0 a8 01 03 45 5a 45 5a 00 6a 25 21 45 58 02 01
0020   0d 51 72 00 7f 00 00 00 00 00 00 00 00 00 00 09
0030   79 00 00 00 00 00 00 00 00 00 00 42 61 88 f1 db
0040   db 00 00 d9 d0 48 22 37 dd d9 d0 1e 30 28 59 a1
0050   02 00 37 90 78 56 34 12 db 00 00 02 f6 0b 00 dc
0060   d9 dd 1a 27 59 db b2 a7 8a 83 32 91 99 13 75 66
0070   ae c3 90 9c bb 35 ...
(more)
marlon gravatar imagemarlon ( 2025-04-18 08:09:03 +0000 )edit

.... ..1. .... .... = Security: True
Are you using a network key to decrypt?

Chuckc gravatar imageChuckc ( 2025-04-18 14:23:31 +0000 )edit

I would guess you are using Windows? I think that there was a bug introduced by https://gitlab.com/wireshark/wireshar... that is subtracting the Zigbee epoch offset where it should be added, which produces a negative seconds value. Some systems, like Windows, do not handle time_t with negative seconds (unlike systems with the GNU C library) that would indicate times before the Unix epoch when using functions like mktime.

I think you should file a bug at https://gitlab.com/wireshark/wireshar...

You will be able to upload your file there.

johnthacker gravatar imagejohnthacker ( 2025-04-19 10:52:00 +0000 )edit
add a comment