[Top] Zigbee Protocol Analyzer: What you need to know

[Top] Zigbee Protocol Analyzer: What you need to know


2 min read

Learn how to build a Zigbee Protocol Analyzer using a CC2531 dongle with Texas Instruments firmware. On this tutorial I will guide through the all process

Hardware Used




USB cc2531 Dongle



CC Debugger



Hardware – ZigBee Sniffer

cc2531 usb sniffer Features

The CC2531 USB dongle is a fully functional USB device that connects a PC to IEEE802.15.4 / ZigBee applications.

It has CC2531ZNP-Prod firmware and may be used as a Zigbee packet sniffer when inserted straight into a PC, Raspberry, etc.

  • Flashed with CC2531ZNP-Prod firmware for zigbee2mqtt application
  • Lead out 8 IO connectors
  • Debug interface
  • Size: 5.6*1.6*0.7cm
  • Two buttons and two LEDs for user interaction

Zigbee Protocol Analyzer

CC Debugger

The CC Debugger is a small programmer and debugger for the TI Low Power RF System-on-Chips.

It can be used together with IAR Embedded Workbench for 8051 (version 7.51A or later) for debugging and SmartRF Flash Programmer for flash programming.

CC Debugger

The CC Debugger can also be used for controlling selected devices from SmartRF Studio.

Software Used




Debian Buster armv7l






WHsniff Git

Texas Sniffer

Sniffer Firmware

Software – ZigBee Sniffer

Install all dependencies

In order to all software work we need to install some dependencies, execute:

sudo apt-get install -y libusb-1.0-0-dev wireshark libboost-all-dev p7zip-full

Install CC-Tool

rfs@offensive-wireless:~/ZigBee_Sniffer $ git clone github.com/dashesy/cc-tool.git rfs@offensive-wireless:~/ZigBee_Sniffer $ cd cc-tool

rfs@offensive-wireless:~/ZigBee_Sniffer/cc-tool $ ./bootstrap

rfs@offensive-wireless:~/ZigBee_Sniffer/cc-tool $ ./configure

rfs@offensive-wireless:~/ZigBee_Sniffer/cc-tool $ make

Download Sniffer Firmware

rfs@offensive-wireless:~/ZigBee_Sniffer $ unzip swrc045z.zip -d firmware_extracted

$ 7z e firmware_extracted/Setup_SmartRF_Packet_Sniffer_2.18.0.exe bin/general/firmware/sniffer_fw_cc2531.hex

sudo /cc-tool -e -w /sniffer_fw_cc2531.hex

Write the Firmware into cc2531

rfs@offensive-wireless:~/ZigBee_Sniffer $ sudo ./cc-tool/cc-tool -e -w sniffer_fw_cc2531.hex

How to Install whsniff – Zigbee sniffer software

curl -L github.com/homewsn/whsniff/archive/v1.3.tar.. | tar zx cd whsniff-1.3

rfs@offensive-wireless:~/ZigBee_Sniffer/whsniff-1.3 $ make

rfs@offensive-wireless:~/ZigBee_Sniffer/whsniff-1.3 $ sudo make install

Zigbee Protocol Analyzer

sudo whsniff -c 11 | wireshark -k -i -

ssh [email protected] "whsniff -c 18" | wireshark -k -i -

Configure our ZigBee Packet Sniffer to decode

Can zigbee sniffer see ieee mac address?

Yes, any ZigBee sniffer can see ieee MAC Address.