TZSP
   HOME

TheInfoList



Click Here for Items Related To - TZSP
OR:
TZSP on:   [Wikipedia]   [Google]   [Amazon]

TaZmen Sniffer Protocol (TZSP) is an encapsulation
protocol Protocol may refer to: Sociology and politics * Protocol (politics), a formal agreement between nation states * Protocol (diplomacy), the etiquette of diplomacy and affairs of state * Etiquette, a code of personal behavior Science and technology ...
used to wrap other protocols. It is commonly used to wrap
802.11 IEEE 802.11 is part of the IEEE 802 set of local area network (LAN) technical standards, and specifies the set of media access control (MAC) and physical layer (PHY) protocols for implementing wireless local area network (WLAN) computer commu ...
wireless packets to support Intrusion Detection Systems (IDS), wireless tracking, or other wireless applications.


Protocol Summary

A number of
802.11 IEEE 802.11 is part of the IEEE 802 set of local area network (LAN) technical standards, and specifies the set of media access control (MAC) and physical layer (PHY) protocols for implementing wireless local area network (WLAN) computer commu ...
sensors and Access Points use the TZSP protocol for
packet Packet may refer to: * A small container or pouch ** Packet (container), a small single use container ** Cigarette packet ** Sugar packet * Network packet, a formatted unit of data carried by a packet-mode computer network * Packet radio, a form ...
capture. It is an open protocol that was designed to encapsulate other protocols over UDP. The primary use for this protocol has been the capture of wireless traffic and transmission of them over a wired network.


Protocol Header

The protocol specified three parts to each TZSP packet: A 4-byte header followed by one or more tagged fields, the last of which has to be the TAG_END(0x01), and finally the encapsulated data. The header and tagged fields use
big-endian In computing, endianness, also known as byte sex, is the order or sequence of bytes of a word of digital data in computer memory. Endianness is primarily expressed as big-endian (BE) or little-endian (LE). A big-endian system stores the most sig ...
ordering where appropriate.


Version

The TZSP version should always be set to 1 (0x01).


Type

0 (0x00) Received tag list 1 (0x01) Packet for transmit 2 (0x02) Reserved 3 (0x03) Configuration 4 (0x04) Keepalive 5 (0x05) Port opener


Encapsulated Protocol

1 (0x01) Ethernet 18 (0x12)
IEEE The Institute of Electrical and Electronics Engineers (IEEE) is a 501(c)(3) professional association for electronic engineering and electrical engineering (and associated disciplines) with its corporate office in New York City and its operation ...
802.11 119 (0x77)
Prism Prism usually refers to: * Prism (optics), a transparent optical component with flat surfaces that refract light * Prism (geometry), a kind of polyhedron Prism may also refer to: Science and mathematics * Prism (geology), a type of sedimentary ...
Header 127 (0x7F) WLAN AVS


Tagged Fields

The tagged fields consist of a one-byte tag type, followed by a one-byte tag length, followed by a variable amount of data. The tag length does not include the tag type or tag length. All TZSP compatible decoders should skip unknown tagged fields. <1 unsigned byte > Tag Type <1 unsigned byte > Tag Length Dependent on Tag Length There are two exceptions to this format. First, when a TAG_END (0x01) is received it is the end of all of the tagged fields. It DOES NOT have a Tag length nor any associated data. The second is the TAG_PADDING (0x00). This can be inserted at any point and should be ignored. It DOES NOT have a tag length nor any tag data. The following are the valid TZSP tag types: TAG_PADDING = 0 (0x00) This special tagged field has neither tag length nor any tag data. The receiver should ignore it. It is sometimes used to pack the frame to a word boundary. TAG_END = 1 (0x01) This special tagged field has neither tag length nor any tag data. This means that there are no more tags. Following this tag, until the end of the UDP packet, is the encapsulated frame. This is the only tag that is required and must be included before the encapsulated data. No variable tags can follow this one. TAG_RAW_RSSI = 10 (0x0A) This field contains the raw
RSSI In telecommunications, received signal strength indicator (RSSI) is a measurement of the power present in a received radio signal. RSSI is usually invisible to a user of a receiving device. However, because signal strength can vary greatly and af ...
obtained from the sensor. The data is either a signed byte or signed short. TAG_SNR = 11 (0x0B) This field contains the raw noise obtained from the sensor. The data is either a signed byte or signed short. TAG_DATA_RATE = 12 (0x0C) This field contains the data rate the encapsulated packet was transmitted at. The following are valid values that can be used: 2 (0x02) = 1MB/s 4 (0x04) = 2MB/s 11 (0x0B) = 5.5MB/s 12 (0x0C) = 6MB/s 18 (0x12) = 9MB/s 22 (0x16) = 11MB/s 24 (0x18) = 12MB/s 36 (0x24) = 18MB/s 44 (0x2C) = 22MB/s 48 (0x30) = 24MB/s 66 (0x42) = 33MB/s 72 (0x48) = 36MB/s 96 (0x60) = 48MB/s 108 (0x6C) = 54MB/s The following are old constants that may be used in old Prism-based sensors. A TZSP decoder should be able to decode them but they should NOT be used in a TZSP encoder: 10 (0x0A) = 1MB/s 20 (0x14) = 2MB/s 55 (0x37) = 5.5MB/s 110 (0x6E) = 11MB/s TAG_TIMESTAMP = 13 (0x0D) This is the time the sensor MAC received the packet. It is a 4-byte unsigned int. TAG_CONTENTION_FREE = 15 (0x0F) This is used to tell if the packet was sent in a contention free period. It is a 1-byte unsigned byte. TAG_DECRYPTED = 16 (0x10) This is used to tell if the packet was decrypted. It is a 1-byte unsigned byte. TAG_FCS_ERROR = 17 (0x11) This is used to tell if the packet had a
frame check sequence A frame check sequence (FCS) is an error-detecting code added to a frame in a communication protocol. Frames are used to send payload data from a source to a destination. Purpose All frames and the bits, bytes, and fields contained within ...
(FCS) error in reception. It is a 1-byte unsigned byte. A one (0x01) specifies that there was an FCS error on the decoding of the packet. A zero (0x00), or the exclusion of this field means that there was no decoding error. All other values are reserved. TAG_RX_CHANNEL = 18 (0x12) This is the channel the sensor was on when it captured the packet. It is NOT the channel the packet was transmitted on. This is stored as an unsigned byte. TAG_PACKET_COUNT = 40 (0x28) This is a monotonically increasing packet count. It is stored as a four byte unsigned int. TAG_RX_FRAME_LENGTH = 41 (0x29) This is the received packet length. It is not necessarily the size of the transmitted packet, which may have been truncated. This is stored as a two byte unsigned short. TAG_WLAN_RADIO_HDR_SERIAL = 60 (0x3C) This is used by some sensor vendors to specify the serial number or other unique identifier for the sensor or AP that captured the packet. This is a variable length field.


Encapsulated Packet

The encapsulated packet should be stored immediately after the tagged fields. This encapsulated packet may be truncated from the original full packet size and does not need to be the same size as specified in the TAG_RX_FRAME_LENGTH field. It is assumed that the encapsulated packet takes up the entire rest of the UDP packet.


Open Source Support

* Snort *
Wireshark Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 d ...
Wireshark: Display Filter Reference: Tazmen Sniffer Protocol
/ref>


References


External links



{{DEFAULTSORT:Tzsp Network protocols Internet protocols Application layer protocols Intrusion detection systems Network analyzers Unix network-related software