Zigbee Sniffer Recommendations

(Scott G) #1

I’m looking to get a zigbee sniffer (preferably USB). I saw one available from TI (CC2531) that works with their SmartRF software (free) and is a USB dongle for $50. Is that a good option? Anyone have any recommendations?

Zigbee mesh problem with Stelpro Ki - Zigbee edition
Zigbee DH Development
(Justin Eltoft) #2

Hi Scott,
Thanks for starting the thread. I’m definitely interested in packet sniffing for a project I’m doing now. This dongle you mentioned looks good so far so I just ordered one from Mouser.com. Looks like it ships preprogrammed with firmware that can be used for packet sniffing which is great. I’m reading through the user manual right now, and I’ll let you know how it goes when it arrives.

(Justin Eltoft) #3

Got the new sniffer!!

A bit of box overkill?

(Justin Eltoft) #4

Ok, it was SUPER easy to sniff the packets of my NXP module. I did the following:

  1. Installed the ti software from ti.com/tool/packet-sniffer
  2. inserted the dongle and started up the sniffer installed above (after usb driver installed itself)
  3. in the sniffer chose 802.15.4 default protocol on the splash screen (there is one other 802.15.4 but looks specific to a TI chipset)
  4. once in the main sniffing screen, choose ZigBee 2007/PRO in the top middle pull down
  5. look up the channel your ST hub is on https://graph.api.smartthings.com/hub/list (Note that it’s listed in decimal on the ST page, but the sniffer pull down is in hex)
  6. Hit the “play” button to start sniffing. You can look up zigbee “Source Address” as it’s called in the TI sniffer on the ST devices page https://graph.api.smartthings.com/device/list as “Device Network Id” for any of your ZigBee devices. Note this is not going to sniff Zwave.

Now I just need to see of the two messages with payloads which one holds the ZigBee inClusters/outClusters fingerprint I’m looking for. :smile:

BTW I have no idea how to decode that part yet.

(Scott G) #5

Awesome! I went with the same USB dongle, so I’ll chime in when it arrives (today or tomorrow I think). As tough as it’s been to decode some of the ST messages, I’m expecting more trouble with this; but a powerful tool.

(Patrick Stuart [@pstuart]) #6

So anyone got this to work with ST? I picked up one of these and can’t make heads or tails out of the packets it captures.

(Brian Smith) #7

I think I found why I couldn’t get it to work with ST…not enough treats, and a missing zigbee card…


(Scott G) #8

No. Unfortunately they’re encrypted and I can’t figure out how to decrypt them. I’ve tried the Ubiqua software (trial) and porting over to Wireshark hoping one of them could sniff the key, but no success. The common Zigbee key didn’t seem to be right or I input it wrong.

Very frustrating!

(Tim Gray) #9

Just got one of these and it’s an awesome troubleshooting tool for figuring out zigbee network health. Played with it this morning and I already see proof of what I suspected, one part of the house is having trouble with the ZigBee network because of wifi interference.

I also am detecting zigbee devices that are not mine. 4 devices that are out there that do not match any of my devices. hoping to sniff them out with this tool.

Note the TI dongle works with Peryton-M4 analysis tool so you can get even more information.

http://www.atmel.com/images/atmel-32210-zigbee-pro-packet-analysis-with-sniffer_ap-note_at02597.pdf for some info if you dont know the ZigBee protocol as well as other information.


Hi Sticks18,

Did you figure out how to decrypt them yet? I used Wireshark, and I can see information except the payload, which I believe is encrypted as it does not match any value with the commands I sent.

Let me know!

(Scott G) #11

No, sorry. My sniffer has been collecting dust for quite a while. I think you need to sniff the key exchange when a device joins, but I couldn’t figure it out.

You might try @JohnR or @mitchp.

(John Rucker) #12

Yep that is what I had to do. I had to tell my sniffer it was sniffing a ZigBee HA network and then it would sniff the traffic but most of the packets were encrypted. I then opened the network for joining and actually had a device join the network. The Sniffer saw the network key get exchanged with the new device and was off and running. I could see everything after that.


We have a few sniffers that we use, but they’re generally built on the ember ISA3 platform.

Ember ISA3 Debug Adapter

EM357 USB stick

Ember Desktop Software

The setup on the right in the picture is very compact and fits in a Pelican 1020 case.

(Scott G) #14

What sniffer and software were you using? I have the TI CC2531, but the software isn’t great.

(John Rucker) #15

I had an evaluation copy of Freescale’s BeeKit. Worked pretty good but when it expired I really couldn’t justify buying it. Tyler has the dream system above from SiLabs!! I have been saving up for that or NXP’s version just waiting to see who has it out for Thread/Weave first. The SiLab guys have a thread kit today and are expecting to add Weave (from Google) Q1. NXP wont give me details unless I sign an NDA. I think they are too busy with the Freescale merger and the field guys here in the Midwest are a little out of touch with the new stuff. Here I go off on a NXP / Thread tangent again.


I use this CC2531 board: http://www.dx.com/p/ti-cc2531-usb-dongle-zigbee-adapter-deep-blue-294176

And a 3D printed case I made here (ask me for source code):

(Eric M) #17

This is the one I use. I believe it is the same as the one above just a couple dollars cheaper. Both shipped form China so expect to get it in several weeks.

@rpress, can you link the 3D printed case file here?


Here’s the OpenSCAD source and the images for the logo.

[code]$fn = 32;

// PCB size
board_length = 44.6;
board_width = 17.6;
board_height = 2.5; // maximum height right/left of USB shell
pin_height = 1.6;
pin_width = 15.3;

// cover size
cover_thickness = 7;

// usb inlet geometry
usb_inlet_width = 12.2;
usb_inlet_height = 4.7;

// body size
front_mergine = 1.5;
body_thickness = 1.5;
body_radius = (max(usb_inlet_height, board_height) + pin_height) / 2 + body_thickness;
body_offset = 0.6;
body_length = board_length + front_mergine + cover_thickness;
body_width = 13;

//part = “all”;
//part = “shell”;
//part = “enclosure”;
//part = “logo”;
//part = “logo_z”;
part = “cover”;

module print_part() {
if (part == “shell” || part == “enclosure” || part == “all”) {
if (part == “logo” || part == “enclosure” || part == “all”) {
if (part == “logo_z” || part == “enclosure” || part == “all”) {
if (part == “cover” || part == “all”) {
translate([0, 0, 10])

module logo (z) {
translate([0, body_radius-0.7, body_length / 2])
difference() {
rotate([-90,0,0]) {
if (z)
surface(file=“z.png”, center=true);
surface(file=“o.png”, center=true);

        difference() {


module logo_back () {
translate([0, body_radius-0.7, body_length / 2])

module shell () {
difference() {
hull() {
translate([0, body_radius-0.7, body_length / 2])
// shell INNER SPACE
translate([-board_width / 2,-(board_height / 2), front_mergine])
translate([-pin_width / 2,-(board_height / 2) - pin_height, front_mergine])
translate([-usb_inlet_width / 2, -(board_height / 2), 0])
// contact space
translate([0, 0, board_length + front_mergine])
hull() {

module cover() {
difference() {
translate([0, 0, body_length-cover_thickness])
hull() {

(Paul Ockenden) #20

can any of these devices do the mapping stuff, like @JohnR posted here: FAQ: Mapping your ZigBee network with Digi's XCTU

Or does that need the Digi stick?


(Riitasusei_1128) #21


I used the CC2531 to sniffer the Zigbee packets. I saw that the ZIgbee transmission are quite frequent. Is that true? I thought the Zigbee devices should be low duty cycle, and the transmission should be second level.