Issue
Capturing packets from Zigbee Standard Security Network shows packets marked Bad FCS or Encrypted Payload
Product Line
EcoStruxure Building Operation
Environment
- Building Operation Automation Server
- Building Operation Room Controller
Cause
Zigbee Standard Security Networks implement multiple keys to encrypt data for the Zigbee Network and each device
Resolution
This resolution assumes you have a Zigbee adapter that can capture packets in Wireshark.
Ensure zigbee_pc_keys are available in each profile you are going to use to analyze the Zigbee packets. The file location is generally: %AppData%\Roaming\Wireshark\profiles\<Profile Name>\zigbee_pc_keys
- Open Wireshark and configure the Zigbee adapter
- NOTE: Please substitute your adapter name if not using the TI CC2531 adapter.
- Open Wireshark
- Click the gear next to the 'TI CC2531 802.15.4 packet sniffer'
- Select the known channel (11-26) and click Save
- Click on 'TI CC2531 802.15.4 packet sniffer' to start capturing
- Update formatting to resolve Bad FCS packets
- Go to Edit -> Preferences -> Protocols
- Select IEEE 802.15.4
- Depending on your Wireshark version,
- check or "TI CC24XX FCS Format"
- or set FCS format = "TI CC24xx metadata"
- Add default link key for Zigbee Alliance
- Go to Edit -> Preferences -> Protocols
- Select ZigBee
- Set Security Level = AES-128 Encryption, 32-bit Integrity Protection
- Click Edit next to Pre-configured Keys
- Click + and Enter Wireshark Key from below, Byte Order = Normal, and Label
- Enter the Zigbee Alliance Default Link Key
- Key = 5A:69:67:42:65:65:41:6C:6C:69:61:6E:63:65:30:39
- Key Value = 5A6967426565416C6C69616E63653039
- Remove colons (:) for entry into Wireshark
- ByteOrder = Normal
- Label = ZigbeeAlliance09
- Find and add Standard Network Key
- Ensure you have configured the default transport key (above).
- Use this display filter to find the request Key exchange: zbee.sec.decryption_key
- Find Standard Network Key
- Look in the Info column for the Transport Key and select it
- Expand Zigbee Application Support Layer Command
- Expand Command Frame: Transport Key to see Key Type: Standard Network Key and Key: shows the value
- Right-click on the key -> Copy -> Value
- Right-click on the Zigbee Network Layer Data -> Protocol Preferences -> Open Zigbee Network Layer Preferences
- Click Edit next to Pre-configured Keys
- Click + and paste under Key, leave Byte Order = Normal, and add Label.
- RECOMMENDED: Use Descriptive label because you will have Network Key per Zigbee Network, so includes Device, PAN ID, and NetworkKey, ie ASP087_12345_NetworkKey
- Find and add Trust Center Link Key PER device
- Ensure the following are configured: formatting, transport key, and Standard Network Key (above).
- Use this display filter to find the request Key exchange: zbee.sec.decryption_key
- Since this is per device, one can include the Network Address for the device. Example: If the network address of the device is 0x2074, the display filter would be: zbee.sec.decryption_key and zbee_nwk.addr == 0x2074
- Find Trust Center Link Key per device
- Using the Info field, find the pair of Request Key and Transport Key. The Request Key will have Source = Device Network Address, and the Transport Key will have the Destination = Device Network Address.
- Click on the Transport Key packet
- Expand Zigbee Application Support Layer Command
- Expand Command Frame: Transport Key to see Key Type: Trust Center Link Key and Key: shows the value
- Right-click on the key -> Copy -> Value
- Right-click on the Zigbee Network Layer Data -> Protocol Preferences -> Open Zigbee Network Layer Preferences
- Click Edit next to Pre-configured Keys
- Click + and paste under Key, leave Byte Order = Normal, and add Label.
- RECOMMENDED: Use a Descriptive label because you will have a Key per device, so includes Device, Network Address, and Trust Center Link Key, ie TH907-01_0x2074_TCLK
