Open Sniffer Installation

Feature-rich Analyzer For Zigbee / 6lowpan / 802.15.4 Networks And Iot Devices

1) Hook up components to the Open Sniffer probe

Connect antennas, ethernet cable and finally power cable to Open Sniffer. Plug in other side of ethernet cable and power cable to your host PC.

Note: Newly, the open sniffer device is delivered with two identical antennas with good multiband performance. Here you can find datasheet.

Open_Sniffer_III

2) Setting TCP/IP at the host side

In this section we are going to adjust TCP/IP settings at PC host in order to be able to communicate with the Open Sniffer probe. Host’s IP address must be within the same network scope as the Open Sniffer probe.

Parameter Value
DHCP OFF
Filter 802.15.4 frames with bad CRC OFF
IP address 10.10.10.2
Network mask 255.255.255.0
Gateway address 10.10.10.1
Remote Host IP address 10.10.10.1
Remote Host port 17754
Radio Channel 15
Modulation O-QPSK (250kbit/s)
Receiver sensitivity HIGH

Set host IP to 10.10.10.1 and network mask to 255.255.255.0. In Windows this can be done via “Network and Sharing Center”. Press CTRL+R and type “ncpa.cpl” Enter. Then you need to select network interface, where you have attached the sniffer and set IP and network address.

network_settings_windows

3) Connect to the Open Sniffer probe homepage

Please open an internet browser and point it to probe address http://10.10.10.2 . Homepage should appear.
OpenSniffer_homepage
Open Sniffer acts as a probe which capturing 802.15.4 frames and send them to remote host computer. The frames are displayed, filtered and analyzed in Wireshark software.

1) Wireshark installation

Download, install and run Wireshark, branch 1.12.x is recommended.  Please select appropriate version for your operating system and architecture.

2) Start Wireshark capture

Select the Ethernet interface (linked to Open Sniffer) from the available newtwork interfaces and start capturing frames.

wireshark_startcapture

Wireshark implicitly shows all frames from wired and wireless networks delivered to the selected interface. Therefore, it is useful to apply 802.15.4 filter which is referred as “wpan”.

wireshark_wpan

3) Start Open Sniffer

Now the host side is ready and you need to start the Open Sniffer probe via web interface. Point your browser to sniffer IP address (10.10.10.2) and press RUN. How to change sniffer’s channel or other params can be found here.

opensniffer_start

4) Let’s sniff some communication

In following example two Zigbee nodes are used to generate some traffic. The Zigbee coordinator with NWK address 0x0000 and Zigbee router with NWK address 0x0001. You may generate your own traffic or download our captured data zigbee_demo (pcapng).

sniffer_iris_capture

In the part two you have ended with some data captured and delivered to Wirehark. You may download the sample file zigbee_demo. This is basically joining process of device 0x0001 to the Zigbee network.

Let’s explain Wireshark settings in more detail.

1) Wireshark columns

Wireshark has default columns settings for wired Ethernet network, see picture below.

wireshark_opensniffer_implicit

Columns are defined for the default Wireshark profile as follows:

Column name Description
No. Frame number counted from the start of capture in Wireshark. This is NOT number of packet received from Open Sniffer probe. It includes all packets delivered to the host’s ethernet interface
Time Ethernet timestamp of the frame assigned by the operating system. This is NOT precise timestamp from Open Sniffer probe.
Source Source Address
Destination Destination Address
Protocol Protocol
Length Length of entire Ethernet frame including transportation overhead. This is NOT length of 802.15.4 frame
Info Protocol details

From the table above it is obvious the default column settings are not associated with 802.15.4.  Therefore you can adjusted them to the 802.15.4 frame info. Let’s refresh the encapsulation scheme for each 802.15.4 frame delivered to the host (see picture below). While the grey colored protocols are used only to transport the 802.15.4 frame through a network infrastructure, the ZEP – Zigbee Encapsulated Protocol carries all the important information such as sequence number, timestamp or channel number  related to the every 802.15.4 captured by the Open Sniffer probe.

sniffer_encapuslation

2) Install ZEPv3 plugin

Although, Wireshark natively contains ZEP protocol v2, we provide ZEPv3 which is backwards compatible and brings additional information related to 802.15.4 band, channel page and precise timestamp information.

  1. Download ZEPv3 plugin from download page.
  2. Extract and copy plugin to the Wireshark plugin folder.
    Windows c:\Program Files\Wireshark\plugins\1.x.x\,
    Linux /usr/local/lib/wireshark/plugins/1.x.x/.
  3. Start Wireshark. menu Analyze -> Enabled Protocols (CTRL+SHIFT+E)
  4. Uncheck ZEP, check ZEPv3
  5. Apply, OK.
  6. h) If the new dissector is not applied go to menu Analyze -> Decode as -> ZEPv3 -> Apply, OK.

ZEPv3 contains fields illustrated in picture below:

zepv3_fields

3) Adjusting Wireshark columns to 802.15.4 frame

Note: The procedure below describes how to adapt Wireshark columns to 802.15.4 frames. You may skip it if you use our Wireshark 802.15.4 profile. Just download the profile, unpack and copy it to the \wireshark\profiles. Finally you need to activate this profile by click on the bottom Wireshark bar “Profile” -> “802.15.4”

Adjusting columns procedure:

  1. Right click on the columns header
  2. Select Column Preferences
  3. Adjust columns to 802.15.4

wireshark_adjust_columns

wireshark_154columns

Adjusted Wireshark columns should seems like this:

802154_wireshark_final

Using our 802.15.4 profile with predefined color rules:

wireshark_154profile

Further reading

Wireshark is an extensive and powerful tool. We advise you to read its documentation page. It contains not only Wireshark itself but also several command line tools such editcap, mergecap, tshark, dumpcap etc. which might be useful where non trivial task are needed.