{"id":12662,"date":"2019-01-28T01:41:05","date_gmt":"2019-01-28T00:41:05","guid":{"rendered":"http:\/\/blog.wenzlaff.de\/?p=12662"},"modified":"2019-01-28T19:56:47","modified_gmt":"2019-01-28T18:56:47","slug":"whsniff-ein-packet-konverter-fuer-sniffing-im-ieee-802-15-4-wireless-sensor-networks-zigbee-bei-2-4-ghz","status":"publish","type":"post","link":"http:\/\/blog.wenzlaff.de\/?p=12662","title":{"rendered":"whsniff ein Packet Konverter f\u00fcr Sniffing im IEEE 802.15.4 Wireless Sensor Networks (ZigBee) bei 2.4 GHz"},"content":{"rendered":"

Whsniff<\/a> ist ein Kommandozeilen Werkzeug f\u00fcr das TI CC2531 USB Dongle f\u00fcr IEEE 802.15.4 Traffic bei 2.4 GHz. Es l\u00e4uft auf dem Raspberry Pi unter Linux (unter Windows geht wohl auch mit SmartRF von TI).
\nUnd es erzeugt Datein im freien pcap Format<\/a> (packet capture) f\u00fcr tshark<\/strong> und Wireshark<\/strong>.<\/p>\n

\"\"<\/a><\/p>\n

Der USB Dongel, Details hatte ich ja schon geschrieben<\/a>:<\/p>\n

\"\"<\/a><\/p>\n

Wie k\u00f6nnen wir das ganze zum laufen bringen?<\/p>\n

Also erst einmal den USB-Sniffer in den Pi stecken und schauen ob er erkannt wird mit lsusb<\/strong>:<\/p>\n

\"\"<\/a><\/p>\n

Das sieht ja schon mal ganz gut aus.<\/p>\n

Dann compilieren und installieren wir whsniff und tshark<\/a>. Daf\u00fcr k\u00f6nnen wir dieses install-whsniff.sh<\/strong> Script verwenden:<\/p>\n

\r\n#!\/bin\/bash\r\n\r\n#\r\n# Thomas Wenzlafff\r\n#\r\n\r\ncd ~\r\nsudo apt-get update\r\nsudo apt-get upgrade\r\nsudo apt-get install libusb-1.0-0-dev tshark\r\n\r\n# wir holen uns das whsniff von GitHub und compilieren es\r\ncurl -L https:\/\/github.com\/homewsn\/whsniff\/archive\/v1.1.tar.gz | tar zx\r\ncd whsniff-1.1\r\nmake\r\nsudo make install\r\n<\/pre>\n
Nun k\u00f6nnen wir schon anfangen, wir starten mal auf Kanal 18. Hier mal eine \u00dcbersicht<\/a> der 16 m\u00f6glichen Kan\u00e4le (11-26), Zitat:
\n\"\"<\/a><\/p>\n
# Sniff …
\nwhsniff -c 18 > whsniff-log.pcap<\/strong><\/p>\n
Abbruch mit CTRL-C dann haben wir die pcap Datei und k\u00f6nnen sie auswerten:<\/p>\n
# Auswerten der pcap Datei mit tshark<\/a>
\ntshark -r whsniff-log.pcap<\/strong><\/p>\n
\r\n# Ergebnis (an\u00ado\u00adny\u00admi\u00adsie\u00adrt) z.B.:\r\n\r\n    0.000000              \u2192              IEEE 802.15.4 49 Command\r\n    2 249.791641              \u2192 73:8a:15:f7:87:e3:b0:8d IEEE 802.15.4 19 Ack, Dst: 73:8a:22:f7:87:e3:b0:8d[Malformed Packet]\r\n    3 1738.283546       0x7912 \u2192              IEEE 802.15.4 11 Ack, Src: 0x7912, Bad FCS\r\n    4 2979.236975              \u2192              IEEE 802.15.4 36 Reserved\r\n    5 3016.231398              \u2192              IEEE 802.15.4 32 Multipurpose\r\n    6 3043.240983       0xb59c \u2192 0x92f7       IEEE 802.15.4 64 Multipurpose, Dst: 0x92f7, Src: 0xb59c, Bad FCS\r\n    7 3874.275716              \u2192              IEEE 802.15.4 37 Multipurpose\r\n    8 4009.222298              \u2192              IEEE 802.15.4 31 Extended\r\n    9 4628.215064              \u2192              IEEE 802.15.4 31 Extended\r\n   10 5450.214312              \u2192              IEEE 802.15.4 28 Reserved, Bad FCS\r\n   11 5960.207120              \u2192 52:13:f0:9b:19:bf:de:9c IEEE 802.15.4 29 Multipurpose, Dst: 52:13:f0:9b:19:bf:de:9c, Bad FCS\r\n<\/pre>\n
# Oder Auswertung mit …
\ntshark -r whsniff-log.pcap  -V<\/strong><\/p>\n
\r\n# Ergebnis (an\u00ado\u00adny\u00admi\u00adsie\u00adrt) z.B.:\r\n\r\nFrame 1: 49 bytes on wire (392 bits), 49 bytes captured (392 bits)\r\n    Encapsulation type: IEEE 802.15.4 Wireless PAN (104)\r\n    Arrival Time: Jan  1, 1970 01:01:02.005144000 CET\r\n    [Time shift for this packet: 0.000000000 seconds]\r\n    Epoch Time: 62.005144000 seconds\r\n    [Time delta from previous captured frame: 0.000000000 seconds]\r\n    [Time delta from previous displayed frame: 0.000000000 seconds]\r\n    [Time since reference or first frame: 0.000000000 seconds]\r\n    Frame Number: 1\r\n    Frame Length: 49 bytes (392 bits)\r\n    Capture Length: 49 bytes (392 bits)\r\n    [Frame is marked: False]\r\n    [Frame is ignored: False]\r\n    [Protocols in frame: wpan]\r\nIEEE 802.15.4 Command\r\n    Frame Control Field: 0x3ec3, Frame Type: Command, PAN ID Compression, Information Elements Present, Destination Addressing Mode: Long\/64-bit, Frame Version: Reserved, Source Addressing Mode: None\r\n        .... .... .... .011 = Frame Type: Command (0x3)\r\n        .... .... .... 0... = Security Enabled: False\r\n        .... .... ...0 .... = Frame Pending: False\r\n        .... .... ..0. .... = Acknowledge Request: False\r\n        .... .... .1.. .... = PAN ID Compression: True\r\n        .... ...0 .... .... = Sequence Number Suppression: False\r\n        .... ..1. .... .... = Information Elements Present: True\r\n        .... 11.. .... .... = Destination Addressing Mode: Long\/64-bit (0x3)\r\n        ..11 .... .... .... = Frame Version: Reserved (3)\r\n        00.. .... .... .... = Source Addressing Mode: None (0x0)\r\n    Sequence Number: 16\r\n    [Expert Info (Error\/Malformed): Frame Version Unknown Cannot Dissect]\r\n        [Frame Version Unknown Cannot Dissect]\r\n        [Severity level: Error]\r\n        [Group: Malformed]\r\n\r\nFrame 2: 19 bytes on wire (152 bits), 19 bytes captured (152 bits)\r\n    Encapsulation type: IEEE 802.15.4 Wireless PAN (104)\r\n    Arrival Time: Jan  1, 1970 01:05:11.796785000 CET\r\n    [Time shift for this packet: 0.000000000 seconds]\r\n    Epoch Time: 311.796785000 seconds\r\n    [Time delta from previous captured frame: 249.791641000 seconds]\r\n    [Time delta from previous displayed frame: 249.791641000 seconds]\r\n    [Time since reference or first frame: 249.791641000 seconds]\r\n    Frame Number: 2\r\n    Frame Length: 19 bytes (152 bits)\r\n    Capture Length: 19 bytes (152 bits)\r\n    [Frame is marked: False]\r\n    [Frame is ignored: False]\r\n    [Protocols in frame: wpan]\r\nIEEE 802.15.4 Ack, Sequence Number: 60, Dst: 72:8a:15:f7:87:e3:b2:8d\r\n    Frame Control Field: 0xceb2, Frame Type: Ack, Frame Pending, Acknowledge Request, Information Elements Present, Destination Addressing Mode: Long\/64-bit, Frame Version: IEEE Std 802.15.4-2003, Source Addressing Mode: Long\/64-bit\r\n        .... .... .... .010 = Frame Type: Ack (0x2)\r\n        .... .... .... 0... = Security Enabled: False\r\n        .... .... ...1 .... = Frame Pending: True\r\n        .... .... ..1. .... = Acknowledge Request: True\r\n        .... .... .0.. .... = PAN ID Compression: False\r\n        .... ...0 .... .... = Sequence Number Suppression: False\r\n        .... ..1. .... .... = Information Elements Present: True\r\n        .... 11.. .... .... = Destination Addressing Mode: Long\/64-bit (0x3)\r\n        ..00 .... .... .... = Frame Version: IEEE Std 802.15.4-2003 (0)\r\n        11.. .... .... .... = Source Addressing Mode: Long\/64-bit (0x3)\r\n    Sequence Number: 60\r\n    Destination PAN: 0xe30d\r\n    Destination: 73:8a:15:f7:82:e3:b0:8d (73:8a:15:f2:87:e3:b0:8d)\r\n    Source PAN: 0x2462\r\n[Malformed Packet: IEEE 802.15.4]\r\n    [Expert Info (Error\/Malformed): Malformed Packet (Exception occurred)]\r\n        [Malformed Packet (Exception occurred)]\r\n        [Severity level: Error]\r\n        [Group: Malformed]\r\n...\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
Whsniff ist ein Kommandozeilen Werkzeug f\u00fcr das TI CC2531 USB Dongle f\u00fcr IEEE 802.15.4 Traffic bei 2.4 GHz. Es l\u00e4uft auf dem Raspberry Pi unter Linux (unter Windows geht wohl auch mit SmartRF von TI). Und es erzeugt Datein im freien pcap Format (packet capture) f\u00fcr tshark und Wireshark. Der USB Dongel, Details<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[220,1023,2752,1319,7],"tags":[1937,3530,1727,3529,1115,513,3526],"class_list":["post-12662","post","type-post","status-publish","format-standard","hentry","category-anleitung","category-raspberry-pi","category-raspberry-pi-zero-w","category-sicherheit-2","category-tools","tag-drahtlos","tag-sniffing","tag-tshark","tag-whsniff","tag-wireshark","tag-wlan","tag-zigbee"],"_links":{"self":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/posts\/12662","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=12662"}],"version-history":[{"count":0,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=\/wp\/v2\/posts\/12662\/revisions"}],"wp:attachment":[{"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=12662"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=12662"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/blog.wenzlaff.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=12662"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}