IEEE 802.15.4 is a member of the IEEE 802.15 standards for Wireless Personal Area Networks, which includes protocols such as IEEE 802.15.1 (Bluetooth), and IEEE 802.15.3 (UWB Wireless). IEEE 802.15.4 specifies the MAC and PHY Layers for Low-Rate Wireless Personal Area Networks (LR-WPAN).
IEEE 802.15.4 is currently used as a medium for a wide variety of network protocols, including ZigBee, 6lowPAN and TinyOS.
IEEE 802.15.4 was published by task group 4 (TG4) in 2003, and following the formation of IEEE 802.15 TG4b, has since gone into hibernation. TG4b was formed to revise and improve upon the original IEEE 802.15.4 specification, their enhancements were approved and published in June 2006 as IEEE 802.15.4-2006.
In March 2005, an extension to the IEEE 802.15.4 specification, IEEE 802.15.4a was released, specifying two additional optional PHYs with improved precision in ranging and locating.
IEEE 802.15.4 is a Layer 1 and 2 protocol, it depends only on hardware.
The IEEE 802.15.4 dissector is fully functional, including security (CCM decryption). This is not to be confused with ZigBee NWK and APS security, which is handled by other dissectors.
Example capture file
- Show only IEEE 802.15.4 based traffic:
You cannot directly filter IEEE 802.15.4 frames while capturing.
IEEE_802.15.4 on Wikipedia.
IEEE 802.15.4-2006 Low-Rate Wireless PAN - Specification download from IEEE Standards Association.
What capture hardware is being used?
It's an Exegin Q51 IEEE/802.15.4 ZigBee Transceiver, which captures and forwards radio traffic over a TCP/IP connection. Exegin's plugins for 802.15.4, 6LoWPAN, ZigBee 2006, ZigBee PRO, and the ZigBee Cluster Library have been donated to the Wireshark project and could be used with any capture device. Interested parties (such as dongle vendors) are encouraged to write a supportive interface.
There is also an IEEE 802.15.4/ZigBee USB dongle available from ubisys with special firmware. The firmware performs ZEPv2 encapsulation over RNDIS.
For adding support of other Ethernet based hardware to analyze 802.15.4/Zigbee/6LowPan, one way is to use Zigbee Encapsulation Protocol(ZEP) in this format - "|UDP Header| ZEP Header |IEEE 802.15.4 Packet|[8 bytes | 32 bytes | <= 127 bytes]". Length field in ZEPv2 header indicate 802.15.4 packet length. Send this Encapsulated 802.15.4 packet to ZEP default port 17754.
TI also has software and firmware for some devices to do the capture. The software can be configured to relay the traffic via UDP to a loopback and there is an available perl script at http://e2e.ti.com/support/wireless_connectivity/f/155/t/56980 to convert from the TI capture format to the dissector expected one.
The nRF 802.15.4 sniffer provides an extcap interface to start capturing directly from Wireshark. It provides out-of-band meta-data for Channel, RSSI and LQI for every packet using the IEEE 802.15.4 TAP link type.