Zigbee Sniffer


Works in theory! Practice? That's something else
Sep 20, 2019
Key Largo
Picked one up, the instructions above were a bit out of date.

I got the "Zigbee sniffer package rev. 2.0" download from https://dsr-iot.com/downloads.

From it I flashed the file ..\zb_sniffer_target\CC2531 USB donglezboss_sniffer.hex to the chip using https://www.ti.com/tool/FLASH-PROGRAMMER.
(I had also loaded the SmartRFStudio in trying to follow the instruction above and it may or may not have provided the USB driver.)

Also from the "Zigbee sniffer package rev. 2.0" download was the Wireshark interface, ..\zb_sniffer_bin\zb_sniffer_host\gui\zboss_sniffer.exe

From there I launched zboss_sniffer.exe, entered the two highlighted
fields, then clicked start and presto! Zigbee packets!

I found two active Zigbee channels, 0x0F and0x19. The first is pushing
about 4 to 5 packets per second, mostly 64 bit IEEE 802.15.4 Beacon packets.
0x19 is more active with about 35 packets per second, most show up as
Zigbee or IEE 802.15.4 protocol.

Also entered 5a6967426565416c6c69616e63653039 as the Trust Center link
key into wireshark. Not sure if it's correct for me, but it's the zigbee default.

Next step is to try and figure out the network encryption key (aka Transport
Key). Below is some output from Wireshark. KillerBee has tools that might
help with that (e.g., zbdsniff, zbgoodfind) if I can get them to run on windows.



  • 1636206103400.png
    44.7 KB · Views: 0
Last edited: