Classroom Glossary Public page

Lab 6: ZigBee Mesh Capture and Decode

661 words

Chapter: 6 (Week 7) Duration: 3 hr Substrate: nRF52840 dongle (802.15.4 mode) or CC2531 + Wireshark; virtual path: lab6-zigbee-mesh.pcapng Points: 8

Overview

Capture and decode 802.15.4/ZigBee traffic from a sandboxed mesh network. Identify coordinator, router, and end-device roles. Attempt to decrypt NWK-layer frames using the known transport key.

Part 1: Hardware Setup and Capture (45 min)

Physical path

Flash the nRF52840 dongle with the Nordic 802.15.4 sniffer firmware (different from the BLE sniffer; see SETUP.md). Configure Wireshark for 802.15.4 capture on channel 11 (2.405 GHz, the default ZigBee coordinator channel in most environments).

# Wireshark with nRF52840 extcap for 802.15.4
# Select the nRF Sniffer for 802.15.4 interface in Wireshark capture options
# Set channel: 11 (2.405 GHz) or whichever the instructor's ZigBee network uses

# Alternative: CC2531 with whsniff
whsniff -c 11 | wireshark -k -i -

Capture 5 minutes of traffic from the instructor-provided ZigBee lab setup (Zigbee coordinator + 2-3 routers/end devices).

Virtual path

Open lab6-zigbee-mesh.pcapng in Wireshark. This capture contains 802.15.4 + ZigBee NWK traffic from a three-device mesh.

Part 2: MAC Layer Analysis (45 min)

Apply display filter ieee802154 to show all 802.15.4 frames.

Question set:

  1. What is the PAN ID of the captured network? (Look at the IEEE 802.15.4 header → Destination PAN ID in beacon or data frames)

  2. List all unique source addresses observed. For each, determine if it is a:

    • 64-bit EUI-64 (full MAC): source address mode = 3
    • 16-bit short address (assigned by coordinator): source address mode = 2

  3. Identify the coordinator: the device that sends beacon frames (frame type = 0x00 in the MAC header). What is its EUI-64 or short address?

  4. Identify end devices (if any): look for data frames with the Power Saving bit set in the Frame Control field, or for data request command frames (MAC command type = 4).

  5. Are any unencrypted data frames present? (Frame Control: Security Enabled bit = 0 for data frames)

import subprocess

# Parse IEEE 802.15.4 frame types from PCAP using tshark
result = subprocess.run(
    ['tshark', '-r', 'lab6-zigbee-mesh.pcapng',
     '-T', 'fields',
     '-e', 'frame.number',
     '-e', 'ieee802154.frame_type',
     '-e', 'ieee802154.src64',
     '-e', 'ieee802154.dst16',
     '-e', 'ieee802154.security_enable'],
    capture_output=True, text=True
)
for line in result.stdout.strip().split('\n')[:30]:
    print(line)

Part 3: ZigBee NWK Decryption (60 min)

Add the default ZigBee transport key to Wireshark's ZigBee key database:

Edit → Preferences → Protocols → ZigBee → ZigBee Keys → Add
Key: d0:d1:d2:d3:d4:d5:d6:d7:d8:d9:da:db:dc:dd:de:df
(This is the well-known ZigBee default transport key from the ZigBee 2006 specification)

Apply display filter zbee_nwk to show ZigBee NWK frames.

Questions after adding the key:

  1. Is the transport key used to decrypt NWK key distribution frames? Look for NWK key transport frames (ZigBee APS command frames with key type = Network Key). Can Wireshark decrypt the network key from these frames?

  2. If the network key is decrypted (it may appear in Wireshark's ZigBee key database after decryption), does applying the network key reveal the NWK-layer payload of regular data frames?

  3. What ZigBee Cluster Library (ZCL) commands are visible after decryption? Apply display filter zbee_zcl. What cluster IDs and command IDs are present?

  4. For any ZCL On/Off cluster command (cluster_id = 0x0006): what command was sent (0x00 = Off, 0x01 = On, 0x02 = Toggle)?

Part 4: Security Analysis (30 min)

Write a 1-paragraph security assessment addressing:

  1. What is the practical impact of the well-known ZigBee default transport key? In how many deployed ZigBee devices is this key likely still in use?

  2. ZigBee 3.0 replaced the well-known key with Install Codes. Describe the Install Code mechanism and explain why it prevents the passive-eavesdropping-decryption attack you demonstrated in Part 3.

  3. For the ZCL On/Off command you observed: what would a replay attack look like? Is there replay protection in the ZigBee frame format? (Hint: look at the NWK Frame Counter field in the ZigBee NWK header.)

Virtual Path Summary

All parts of this lab can be completed using lab6-zigbee-mesh.pcapng. The capture was generated from a three-device Zigbee 2006 network using the default transport key. The network key is decryptable from the capture using the procedure in Part 3.

Deliverables

  • Wireshark screenshot: 802.15.4 beacon frame with coordinator address visible
  • tshark output from Part 2 (first 30 lines)
  • Wireshark screenshot: ZigBee ZCL command frame after decryption
  • Written answers to Part 2 question set (5 questions)
  • Security analysis paragraph (Part 4, addresses all three questions)

Grading (8 points)

Item Points
Correct coordinator identification from beacon frames 1
tshark output showing address modes + frame types 1.5
ZCL command decoded after NWK decryption 2.5
Security analysis (all three questions addressed) 3