Ask Your Question
0

How to insert network key when use tshark in command line

asked 2019-01-22 09:03:35 +0000

wireless_guy gravatar image

Hi All,

I'm using wireshark to capture packets. Now I want to achieve below functions, 1) Wireshark and tshark were installed in a Linux machine. This Linux machine has no screen. 2) I want to use tshark command to covert a zigbee network captured .pcap file to a JSON file.

For the above function was already realized at my side using the command tshark -r input.pcap -T json >output.json.

But I met the problem about security encryption of zigbee packet. So the content in .json was still encrypted.

I want to know how to insert the network key or link key of zigbee network easy in tshark.

Thanks a lot.

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
1

answered 2019-01-22 15:34:12 +0000

cmaynard gravatar image

The ZigBee dissector expects the keys to be stored in a file called zigbee_pc_keys which should be located in your Wireshark personal preferences directory. If that file doesn't exist, then you'll have to create one.

The content and format of the file isn't documented (as far as I can tell) because it's expected that one would create it through Wireshark. If you can create it first through Wireshark, then that's probably the best and easiest way to do it; if not, you can try to create one on your own. I've never worked with ZigBee packets, but I created a sample file illustrating a few formats:

# This file is automatically generated, DO NOT MODIFY.
"\x221234567890123456\x22","Normal","Foo"
"00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff","Reverse","Bar"

The first column is the Key, specified as either 16 hexadecimal bytes or a 16 character double-quoted string, the second column is the Byte Order, specified as either "Normal" or "Reverse", and the third column is the Label.

Lastly, if you don't know the location of your personal configuration directory, you can either run tshark -G folders to find it, or the Wireshark man page provides some help under the FILES section:

The personal preferences file is looked for in $XDG_CONFIG_HOME/wireshark/preferences (or, if $XDG_CONFIG_HOME/wireshark does not exist while $HOME/.wireshark is present, $HOME/.wireshark/preferences) on UNIX-compatible systems and %APPDATA%\Wireshark\preferences (or, if %APPDATA% isn't defined, %USERPROFILE%\Application Data\Wireshark\preferences) on Windows systems.
edit flag offensive delete link more

Comments

Hi, Thanks for your reply. On my Linux machine, I didn't find the folder the preferences. I just find there is a folder named profile in root/.config/wireshark, then I follow Windows system add a zigbee_pc_keys file to root/.config/wireshark folder, it works.

The output JSON file was decrypted by the input key.

Btw, can I choose select filed from the packet to generate JSON file since the whole packet wireshark captured include a lot unused info for me. Can I achieve this in tshark?

Thanks.

wireless_guy gravatar imagewireless_guy ( 2019-01-23 03:36:32 +0000 )edit

(Since you presumably accepted my answer, I've moved your reply as a comment instead of a 2nd answer.)

To answer your new question, "Can I achieve this in tshark?", the answer is yes. You should be able to apply a display (or alternatively a read) filter so that only the packets of interest are read or displayed/processed. Refer to the tshark man page for more information on the -Y and -R options. Usually I just use the -Y option.

cmaynard gravatar imagecmaynard ( 2019-01-23 04:07:40 +0000 )edit

Thanks a lot. Let me try it.

wireless_guy gravatar imagewireless_guy ( 2019-01-23 10:15:41 +0000 )edit

It might be possible to set it with the -o flag, but we don't have very good documentation on setting preferences in general, much less "UAT" preferences such as the Zigbee keys. I've filed bug 15441 on that.

Guy Harris gravatar imageGuy Harris ( 2019-01-24 05:39:50 +0000 )edit

Indeed, the following should work:

Windows:

tshark -o "uat:zigbee_pc_keys:\"\x221234567890123456\x22\",\"Normal\",\"Foo\"" -r input.pcap -T json > output.json

*nix:

tshark -o 'uat:zigbee_pc_keys:"\x221234567890123456\x22","Normal","Foo"' -r input.pcap -T json > output.json

The zigbee_pc_keys file isn't documented, but the user guide does provide an example for specifying a UAT option, if you know where to look. See section 11.2. Start Wireshark from the command line.

cmaynard gravatar imagecmaynard ( 2019-01-24 19:16:23 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-01-22 09:03:35 +0000

Seen: 1,359 times

Last updated: Jan 23 '19