USB Dongle usage as packet sniffer

Monitoring traffic and activity in IEEE 802.15.4 networks is essential to understand the behavior and traffic patterns of the network. Network Protocol analyzers are powerful and flexible tools that aid debugging during application development as well as collecting diagnostic information during its deployment. Kirale provides a Sniffer firmware for its devices which can be easily flashed without any additional tool. This firmware allows to perform protocol analysis of IEEE 802.15.4 networks providing real-time frame capture as well as upper-layer protocol visualization.

After bootup the Sniffer firmware stays in idle mode waiting for configuration commands in the USB interface. The Sniffer commands consist of a minimal subset of the KSH commands (full list in KSH Reference Guide):

There is a slight difference with the KSH commands: ifup and ifdown do not respond with a prompt. Now, the only thing to do is configure the IEEE 802.15.4 channel (11 to 26) and start capturing with the ifup command. At this moment, every frame received by the radio interface is forwarded to the USB with a special binary frame format:

Where:

• Magic number is 0x534e4946 (hex value for ‘SNIF’).
• Length is the size of the packet data.
• Timestamp is the time in blocks of 16 μs when the packet was captured, starting in 0 for the first packet.
• Packet data is the IEEE 802.15.4 frame.

In order to stop the capture, the commands ifdown or clear can be sent.

The open source KiTools project provides, among other functionalities, a simple way of starting a IEEE 802.15.4 packets capture, in both interactive and forced modes. If a KTDG102 USB Dongle is plugged in the computer, with the Sniffer firmware flashed and the proper drivers installed, the tool will detect it as a Kirale Sniffer and prompt the user for the desired channel, writing the captured packets in a PCAP file in the execution folder with a file name which includes the starting capture date.

It is also possible to start a capture directly by providing the dongle’s port name, capture channel and output file name.

python -m kitools –port COM36 –channel 26 –file “C:\Users\Kirale\mycapture.pcap”

The additional –live option tries to open a Wireshark instance from its default installation path, and makes possible to see the captured traffic in real time. The –file option can be used in this case combined with –live to provide the Wireshark binary path, if it is installed somewhere else.

The tool works for both Windows and UNIX platforms.

The KiTools application can be used to monitor the traffic of a wide variety of applications based on the IEEE 802.15.4 wireless standard, since it is completely transparent to the protocols that are used on top of such Link Layer. However, if the tool is used to monitor a Thread network it is recommended to configure Wireshark accordingly in order to display the complete information contained in the capture frames. The following configuration is valid for “Wireshark Version 2.1.0-Thread”.

Under Edit → Preferences → Protocols → IEEE 802.15.4:

• Enable Disect only good FCS.
• Type your monitoring Thread network master key in Decryption key 1.
• Type 1 in Decryption key index 1.
• As Security Suite, select AES-128 Encryption, 32 bits Integrity Protection.
• Enable Extended Authentication Data.
• As Key hash, select Thread hash used to derive key.

Under Edit → Preferences → Protocols → 6LoWPAN:

• Type your monitoring Thread network mesh local prefix in Context 0.

Under Edit → Preferences → Protocols → CoAP:

• Type 5683 in CoAP port number.
• Type 19789 in Additional CoAP port number (1).
• Type 61631 in Additional CoAP port number (2).

Under Edit → Preferences → Protocols → Thread CoAP:

• Enable Decode CoAP for Thread.

Disable LwMesh, Zigbee and Zigbee Green Power protocols under Analyze → Enabled protocols.