Wireshark mailing list archives
Re: Help with Zigbee decryption
From: Joe Desbonnet <joe () galway net>
Date: Wed, 9 Mar 2011 23:38:51 +0000
To answer my own question. I succeeded in decrypting ZigBee HA (Home Automation) profile packets a while back, but thought it worth mentioning here in case anyone else has the same problem. I upgraded to version 1.4.3 of Wireshark. Then set the following: Edit -> Preferences... -> Protocols -> ZigBee NWK Security Level: AES-128 Encryption, 32-bit Integrity Protection Network Key: 39:30:65:63:6E:61:69:6C:6C:41:65:65:42:67:69:5A (that's the ASCII values of ZigBeeAlliance09 *in reverse*) BTW: if anyone has the ZENA 802.15.4 / ZigBee network analyzer from Microchip Technologies, I've written a short Linux C utility that streams the packets from the device in PCAP format and can be piped into Wireshark. Details here: http://code.google.com/p/microchip-zena/ Joe. On Fri, Jan 14, 2011 at 12:38 AM, Joe Desbonnet <joe () galway net> wrote:
I'm attempting to sniff and decrypt packets in home automation equipment which is supposed to be setup with encryption key "ZigBeeAlliance09". I've entered ZigBeeAlliance09 as a string in the "Network Key" field in Edit -> Preferences -> Protocols -> Zigbee NWK however the UI does not seem to be acting on it. In the packet view under Zigbee Security Header I have a collapsible node: [Expert Info (Warn/Undecoded): Encrypted Payload] [Message: Encrypted Payload] [Severity level: warn] [Group: Undecoded] Then the Data node just lists the data from the packet verbatim (no decryption). What must I do to decrypt this payload? I've tried other random strings for the key and it makes no difference. It doesn't seem to be trying to decrypt. To reproduce my problem see the pcap capture file here: http://www.mail-archive.com/wireshark-bugs () wireshark org/msg24773.html (file bug5331_test.pcap). The text of the bug implies it uses the same key (ZigBeeAlliance09). Look at the first packet. The payload is two bytes 0xb9 0x06 (encrypted). I cannot find any way view the decrypted packet. I'm using the standard Ubuntu package (version 1.2.7) and I also tried the latest version 1.4.3. Any pointers or suggestions would be greatly appreciated. Thanks in advance, Joe.
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Help with Zigbee decryption Joe Desbonnet (Mar 09)
- Re: Help with Zigbee decryption Maynard, Chris (Mar 10)
- question about SCTP multi-homing WangWeiguo (Mar 10)
- Re: question about SCTP multi-homing Michael Tüxen (Mar 10)
- Re: question about SCTP multi-homing Jeff Morriss (Mar 10)
- Re: Help with Zigbee decryption Guy Harris (Mar 10)