Troubleshooting ZigBee by sniffing traffic


Using the guide @chris has linked on his website. I’m using two HUSBZB-1 USB dongles, one that is associated as Z-wave (ttyUSB0) and ZigBee (ttyUSB1) coordinators and the other for sniffing (ttyUSB3).

I used the following command:

java -jar ZigBeeSniffer.jar -port /dev/ttyUSB3 -baud 57600 -flow software --ipaddr= --ipport=17754 --channel 15

I set the channel the same as what I see configured in OpenHAB for the Ember EM35x Coordinator. I also added the ZigBeeAlliance09 security key to the Wireshark preferences. I did not explicitly configure a key in OpenHAB2, so in the OH configuration it’s just showing: “00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00”.

I’m not familiar with the ZigBee protocol but I see some broadcast packets going out. Not much else while dimming a paired light bulb (Sengled). The data payload of the frames looks tiny, not sure if they are actually properly decoded?

Here is what I captured while trying to pair another light (Sengled). Looks rather barren!

Any ideas/advice? Not sure I’m doing this correctly…


Hi Peter,
Firstly, you need to set a key. If you don’t, the binding will set one for you, and then you won’t know what it is, and won’t be able to decode the traffic. There are some encrypted frames in this log.

Most of the current traffic in your log is just beacon requests. A device is requesting beacons, which normally means it’s wanting to join a network, or possibly rejoin. The coordinator is sending the beacons, and it has join enabled, but the device doesn’t actually attempt to join the network.

One question - why are you using channel 15? I don’t think it will change anything but you might want to try channel 11 which is the default for most devices, and if there are any compliance issues, then it might be better with channel 11 (although from what I see, I dont think it will help).


Thank you Chris - I don’t know how it ended up on channel 15 to be honest, I have set it to channel 11, set an explicit network key and reset the controller. I can now see the decrypted data :+1:

I reset factory reset two bulbs (switch on and off rapidly 10 times) and received the confirmation blinking. I then joined the first one again successfully (hope I captured all of that) and tried with the second one multiple times to no avail :frowning:

Here are the logs I’ve captured:

successful join:

unsuccessful join:

I don’t know if that’s an actual join (don’t know anything about the protocol!) but I see the device advertising it’s orphaned status and the coordinator responding with a realignment (to bring it back into the mesh?).
From what I can tell from the second trace, the bulb is just not trying at all to join?

Even the successful join log doesn’t look like a successful join, but I’d need to have the network key to be sure as most of the data is encrypted. If it’s a key you don’t want published, then you could email it to me. It may be that the join occured before the log as this log has a lot of other traffic in it - but I can’t tell what it is as it’s all encrypted.

I’ve also ordered a Sengled bulb for testing.

Oh interesting, I thought the traffic would be saved as decrypted by Wireshark. I’ve emailed you my key.

I can’t get the colourization rules to work, it’s all just coloured as UDP traffic as that’s what the data is encapsulated in … I can’t do a follow UDP stream either, is there a trick to it?

Just trying to do some zigbee sniffing here as well.
The setup is as follow:
Zigbee stick for sniffing is connected to my Rpi, and it seems to run just fine…
I´ve setup the Zigsniffer to send to remote IP of my laptop, from where I run Wireshark.
This is the commandline for ZigbeeSniffer

java -jar ZigBeeSniffer.jar -port /dev/ttyUSB-MeshConn -baud 115200 -flow hardware -a -r 17754


[23:01:14] openhabian@openHABianPi:~$ java -jar ZigBeeSniffer.jar -port /dev/ttyUSB-MeshConn -baud 115200 -flow hardware -a -r 17754
Z-Smart Systems Ember Packet Sniffer
Opened serial port /dev/ttyUSB-MeshConn at 115200
log4j:WARN No appenders could be found for logger (com.zsmartsystems.zigbee.serial.ZigBeeSerialPort).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See for more info.
Ember NCP version     :
Ember NCP EUI         : 0022A3000010D193
Wireshark destination : /
Logging on channel    : 11
WiresharkZepFrame [sequence=00000000, lqi=255, data={63 88 02 44 F9 00 00 76 15 04 79 8F}]
WiresharkZepFrame [sequence=00000001, lqi=255, data={02 00 02 AA 96}]
WiresharkZepFrame [sequence=00000002, lqi=255, data={63 88 03 44 F9 00 00 76 15 04 C6 0E}]
WiresharkZepFrame [sequence=00000003, lqi=255, data={02 00 03 23 87}]
WiresharkZepFrame [sequence=00000004, lqi=243, data={41 88 CF 44 F9 FF FF 9B A1 09 12 FC FF 9B A1 01 19 70 53 A0 00 AA 3E B0 7C 28 35 21 07 00 70 53 A0 00 AA 3E B0 7C 00 85 38 D7 F0 1A EC 07 45 1E 15 CC}]
WiresharkZepFrame [sequence=00000005, lqi=255, data={41 88 31 90 AF FF FF 00 00 09 12 FC FF 00 00 01 2C D0 8F 21 02 00 8D 15 00 28 4D 05 12 00 D0 8F 21 02 00 8D 15 00 01 C1 74 B8 BF 31 CF 4A 74}]
WiresharkZepFrame [sequence=00000006, lqi=255, data={41 88 35 44 F9 FF FF 00 00 09 12 FC FF 00 00 01 2C 16 C3 A0 0F 00 6F 0D 00 28 AC 2F 0A 00 16 C3 A0 0F 00 6F 0D 00 00 B5 00 8D AF A6 91 F2 75 69 7F A9}]
WiresharkZepFrame [sequence=00000007, lqi=255, data={63 88 04 44 F9 00 00 76 15 04 C8 92}]
WiresharkZepFrame [sequence=00000008, lqi=255, data={02 00 04 9C F3}]

Problem is, remote IP ( , which is my laptop running Windows 10, does not receive anything on UDP port 17754. And I have no idea why. There is no firewall blocking on my latop cause I created a rule allowing UDP on port 17754. Could it be the Rpi blocking?

Hmm think I got it now… At least something about Zigbee is coming from my Rpi… Guess I just need the key now.

Are you sure your sniffer USB dongle (not the actual ZigBee coordinator your things are connecting to) supports 115k baud + hardware flow control? The other thing I had to confirm was the actual channel number, it was set to 15 in the ZigBee binding for some reason, I explicitly changed it to 11 and recreated my network.

Its a MeshConnect ZM357S-USB-LR. Its 11500 baud… I´m unsure of the flow control, but I believe it has been programmed to using hardware. However, wireshark do receive zigbee messages from the Rpi now. So I guess the hardware flow control is fine…
Next step in to get that damn zigbee network key setup. I have all zeros in my coordinator setup (my openhab coordinator). So I guess I need define a key myself… I just wonder what will happen when I do… I guess I wil have to start all over with my devices, right?

I believe so - I had to after setting the key explicitly

Hi Peter.
When you were setting the key, did you just write 16 random hex values ?

hi @Kim_Andersen - yes indeed, if you are on linux you can use the following command to randomly generate a key for you, eg:

[root@nexus ~]# cat /dev/urandom | tr -dc ‘0-9A-F’ | fold -w 32 | head -n 1 | sed -e ‘s/(…)/\1 /g’ -e ‘s/, $//’
99 D1 8A 4B 2A E3 B9 15 39 1C 7C 7A C5 25 95 CD

Hmm couldnt get it to work on my Rpi… I dont know much Linux :tired_face:

what problem/error did you encounter? otherwise you can just make up 16 random hex bytes :slight_smile:

[21:48:59] openhabian@openHABianPi:~$ cat /dev/urandom | tr -dc ‘0-9A-F’ | fold -w 32 | head -n 1 | sed -e ‘s/(…)/\1 /g’ -e ‘s/, $//’
-bash: syntax error near unexpected token `('

ah ok - I’m not familiar with openhabian but I’m guessing it’s using busybox with has a slimmed down version of sed. you can also try this:

[root@nexus ~]# cat /dev/urandom | tr -dc ‘0-9A-F’ | fold -w 32 | head -n 1

won’t have the nice spaces but still works

I dont think it works on openhabian… Get a very strange result.
If I paste everything to one command line, I get this error:

[00:47:25] openhabian@openHABianPi:~$ cat /dev/urandom | tr -dc ‘0-9A-F’ | fold -w 32 | head -n 1 8F2F98F796F15F17F1B949036F38F1C6
head: cannot open ‘8F2F98F796F15F17F1B949036F38F1C6’ for reading: No such file or directory
[00:48:07] openhabian@openHABianPi:~$

If I paste two lines, I end up with this:

[00:40:39] openhabian@openHABianPi:~$ cat /dev/urandom | tr -dc ‘0-9A-F’ | fold -w 32 | head -n 1
[00:41:52] openhabian@openHABianPi:~$ 8F2F98F796F15F17F1B949036F38F1C6
-bash: 8F2F98F796F15F17F1B949036F38F1C6: command not found

ah I’ve included the output, you shouldn’t include that … just this

cat /dev/urandom | tr -dc ‘0-9A-F’ | fold -w 32 | head -n 1

It returns a pretty strange key…Almost looks like some of the numbers/caracters are bloomed out.

[00:49:17] openhabian@openHABianPi:~$ cat /dev/urandom | tr -dc ‘0-9A-F’ | fold -w 32 | head -n 1
[01:01:47] openhabian@openHABianPi:~$

ugh :frowning: ok, how about :slight_smile:

1 Like