i ZIGBEE PROTOCOL – All things in moderation


Zigbee is a standards-based wireless technology developed to enable low-cost, low-power wireless machine-to-machine (M2M) and internet of things (IoT) networks.

1. Overview:

Zigbee is one of the most talked about communication protocols in the IoT ecosystem. Zigbee is built on top of IEEE 802.15.4, just like similar other such as 6LoWPAN and SNAP. A consortium known as Zigbee alliance has been created by a group of companies which work together on Zigbee and take it forward. These companies (officially called as “promoters”) include Honeywell, Invensys, Mitsubishi, Motorola, Philips, Samsung and more.

Zigbee is a low-cost, low-power, wireless mesh network standard targeted at battery-powered devices in wireless control and monitoring applications. Zigbee delivers low-latency communication. Zigbee chips are typically integrated with radios and with microcontrollers. Zigbee operates in the industrial,  scientific and  medical (ISM) radio bands: 2.4 GHz in most jurisdictions worldwide, though some devices also use 784 MHz in China, 868 MHz in Europe and 915 MHz in the USA and Australia, however even those regions and countries still use 2.4 GHz for most commercial Zigbee devices for home use. Data rates vary from 20 kbit/s (868 MHz band) to 250 kbit/s (2.4 GHz band).

The Zigbee network layer natively supports both star and tree networks, and generic mesh networking. Every network must one coordinator device. Within start networks, the coordinator must be the central node. Both trees and meshes allow the use of Zigbee router to extend communication at the network level. Another defining feature of Zigbee is facilities for carrying out secure communications, protecting establishment and transport of cryptographic keys, ciphering frames, and controlling device. It builds on the basic security framework defined in IEEE 802.15.4.

Zigbee devices are of three kinds:

  • Zigbee Coordinator (ZC): The most capable device, the Coordinator forms the root of the network tree and might bridge to other networks. There is precisely one Zigbee Coordinator in each network since it is the device that started the network originally (the Zigbee LightLink specification also allows operation without a Zigbee Coordinator, making it more usable for off-the-shelf home products). It stores information about the network, including acting as the Trust Center & repository for security keys.
  • Zigbee Router (ZR): As well as running an application function, a Router can act as an intermediate router, passing on data from other devices.
  • Zigbee End Device (ZED): Contains just enough functionality to talk to the parent node (either the Coordinator or a Router); it cannot relay data from other devices. This relationship allows the node to be asleep a significant amount of the time thereby giving long battery life. A ZED requires the least amount of memory, and, therefore, can be less expensive to manufacture than a ZR or ZC.

Zigbee stack layers:

  • Network (NWK) Layer: The network layer ensures the proper operation of the underlying MAC layer and provides an interface to the application layer. The network layer supports star, tree and mesh topologies. Among other things, this is the layer where networks are started, joined, left and discovered.
  • Application (APL) Layer: The APL layer is made up of several sublayers. The ovals symbolize the interface, called service access points (SAP), between different sublayer entities.
    • Application Support Sublayer (APS): The APS sublayer is responsible for: binding tables, message forwarding between bound devices, group address definition and management, address mapping from 64-bit extended addresses to 16-bit NWK addresses, fragmentation and reassembly of packets, relicable data transport.
    • Application Framework: The application framework is an execution environment for application objects to send and receive data. Application objects are defined by the manufacturer of the ZigBee-enabled device. As defined by ZigBee, an application object is at the top of the application layer and is determined by the device manufacturer. An application object actually implements the application; it can be a light bulb, a light switch, an LED, an I/O line, etc. The application profile is run by the application objects.
    • Zigbee Device Object (ZDO): The ZDO is responsible for overall device management, specifically it is responsible for: initializing the APS sublayer and the NWK layer, defining the operating mode of the device, device discovery and determination of which application services the device provides, initiating and/or responding to binding requests, security management.

2. Api-Mote device:

Api-Mote is a low-power wireless module supporting IEEE 802.15.4. It allows for rapid application prototyping as well as wireless and security research. It leverages industry-standard chips includeing the MSP430 microprocessor and an IEEE 802.15.4. and ZigBee-ready RF transceiver.  Api-Mote is pre-flashed with KillerBee firmware, so all you need to do is simply plug in to your system and use the KillerBee utilities to start your research.

The APImote hardware was designed by River Loop Security in collaboration with the Dartmouth Trust Lab and Travis Goodspeed.

APImote is open-source hardware: ApiMote hardware designs.

Key features:

  • 2.4 GHz IEEE 802.15.4 Compliant and ZigBeeTMReady RF Transceiver (CC2420)
  • Interoperability with other IEEE 802.15.4 devices
  • 16-Bit Ultra-Low-Power MCU (116kB Flash, 8KB RAM) (MSP430F2618), featuring Integrated ADC, DAC, Supply Voltage Supervisor, and DMA Controller
  • FTDI USB-to-Serial IC
  • Programming and data collection via USB
  • Integrated onboard antenna
  • Low current consumption
  • Hardware link-layer encryption and authentication is supported
  • Optional SMA antenna connector
  • Basic GoodFET-based firmware support is already available (TinyOS support should be easy)

3. ZigBee sniffer by KillerBee:

KillerBee – Framework and Tools for Attacking ZigBee and IEEE 802.15.4 networks. KillerBee is developed and tested on Linux systems. MacOS usage is possible but not supported.

In Zigbee communication,  the target device can be using any of the 16 channels (from 11 to 26). In order to sniff, dump or replay traffic, the first thing we need to know is what channel is our target device operating on.

ZbStumbler helps us identify which channel is the Xbee using to transmit Zigbee packets.

$ ./zbstumbler -v

Once the channel is identified, we can use zbdump to capture the packets on that channel.

$ ./zbdump -c <channel-number> -r <outputfile.pcap>

You can also use zbwireshark to capture the data in realtime as shown below

$ ./zbwireshark -c <channel-number>


In ZigBee networking, a sniffing tool is important during development and testing for the capture and analysis of frames exchanged in the network. It is more significant in networks that have ZigBee products from different vendors to test and verify that they inter-operate with one another.


Leave a Reply