 | This article needs additional citations for verification .(October 2007) |
TaZmen Sniffer Protocol (TZSP) is an encapsulation protocol used to wrap other protocols. It is commonly used to wrap 802.11 wireless packets to support Intrusion Detection Systems (IDS), wireless tracking, or other wireless applications.
A number of 802.11 sensors and Access Points use the TZSP protocol for packet capture. It is an open protocol that was designed to encapsulate other protocols over UDP. The primary use for this protocol has been the capture of wireless traffic and transmission of them over a wired network.
The protocol specified three parts to each TZSP packet: A 4-byte header followed by one or more tagged fields, the last of which has to be the TAG_END(0x01), and finally the encapsulated data.
The header and tagged fields use big-endian ordering where appropriate.
| Header | Version (1 unsigned byte) |
|---|---|
| Type (1 unsigned byte) | |
| Encapsulated protocol (1 unsigned short) | |
| Tagged Fields | Tagged Fields (variable length) |
| Tag field end (1 unsigned byte) | |
| Encapsulated packet | Encapsulated packet (variable length) |
The TZSP version should always be set to 1 (0x01).
0 (0x00) Received tag list 1 (0x01) Packet for transmit 2 (0x02) Reserved 3 (0x03) Configuration 4 (0x04) Keepalive 5 (0x05) Port opener
1 (0x01) Ethernet 18 (0x12) IEEE 802.11 119 (0x77) Prism Header 127 (0x7F) WLAN AVS
The tagged fields consist of a one-byte tag type, followed by a one-byte tag length, followed by a variable amount of data. The tag length does not include the tag type or tag length. All TZSP compatible decoders should skip unknown tagged fields.
<1 unsigned byte > Tag Type <1 unsigned byte > Tag Length <variable length > Dependent on Tag Length
There are two exceptions to this format. First, when a TAG_END (0x01) is received it is the end of all of the tagged fields. It DOES NOT have a Tag length nor any associated data. The second is the TAG_PADDING (0x00). This can be inserted at any point and should be ignored. It DOES NOT have a tag length nor any tag data.
The following are the valid TZSP tag types:
TAG_PADDING = 0 (0x00)
This special tagged field has neither tag length nor any tag data. The receiver should ignore it. It is sometimes used to pack the frame to a word boundary.
TAG_END = 1 (0x01)
This special tagged field has neither tag length nor any tag data. This means that there are no more tags. Following this tag, until the end of the UDP packet, is the encapsulated frame. This is the only tag that is required and must be included before the encapsulated data. No variable tags can follow this one.
TAG_RAW_RSSI = 10 (0x0A)
This field contains the raw RSSI obtained from the sensor. The data is either a signed byte or signed short.
TAG_SNR = 11 (0x0B)
This field contains the raw noise obtained from the sensor. The data is either a signed byte or signed short.
TAG_DATA_RATE = 12 (0x0C)
This field contains the data rate the encapsulated packet was transmitted at.
The following are valid values that can be used:
2 (0x02) = 1MB/s 4 (0x04) = 2MB/s 11 (0x0B) = 5.5MB/s 12 (0x0C) = 6MB/s 18 (0x12) = 9MB/s 22 (0x16) = 11MB/s 24 (0x18) = 12MB/s 36 (0x24) = 18MB/s 44 (0x2C) = 22MB/s 48 (0x30) = 24MB/s 66 (0x42) = 33MB/s 72 (0x48) = 36MB/s 96 (0x60) = 48MB/s 108 (0x6C) = 54MB/s
The following are old constants that may be used in old Prism-based sensors. A TZSP decoder should be able to decode them but they should NOT be used in a TZSP encoder:
10 (0x0A) = 1MB/s 20 (0x14) = 2MB/s 55 (0x37) = 5.5MB/s 110 (0x6E) = 11MB/s
TAG_TIMESTAMP = 13 (0x0D)
This is the time the sensor MAC received the packet. It is a 4-byte unsigned int.
TAG_CONTENTION_FREE = 15 (0x0F)
This is used to tell if the packet was sent in a contention free period. It is a 1-byte unsigned byte.
TAG_DECRYPTED = 16 (0x10)
This is used to tell if the packet was decrypted. It is a 1-byte unsigned byte.
TAG_FCS_ERROR = 17 (0x11)
This is used to tell if the packet had a frame check sequence (FCS) error in reception. It is a 1-byte unsigned byte. A one (0x01) specifies that there was an FCS error on the decoding of the packet. A zero (0x00), or the exclusion of this field means that there was no decoding error. All other values are reserved.
TAG_RX_CHANNEL = 18 (0x12)
This is the channel the sensor was on when it captured the packet. It is NOT the channel the packet was transmitted on. This is stored as an unsigned byte.
TAG_PACKET_COUNT = 40 (0x28)
This is a monotonically increasing packet count. It is stored as a four byte unsigned int.
TAG_RX_FRAME_LENGTH = 41 (0x29)
This is the received packet length. It is not necessarily the size of the transmitted packet, which may have been truncated. This is stored as a two byte unsigned short.
TAG_WLAN_RADIO_HDR_SERIAL = 60 (0x3C)
This is used by some sensor vendors to specify the serial number or other unique identifier for the sensor or AP that captured the packet. This is a variable length field.
The encapsulated packet should be stored immediately after the tagged fields. This encapsulated packet may be truncated from the original full packet size and does not need to be the same size as specified in the TAG_RX_FRAME_LENGTH field. It is assumed that the encapsulated packet takes up the entire rest of the UDP packet.
The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly referred to as TCP/IP. TCP provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications running on hosts communicating via an IP network. Major internet applications such as the World Wide Web, email, remote administration, and file transfer rely on TCP, which is part of the Transport layer of the TCP/IP suite. SSL/TLS often runs on top of TCP.
In computer networking, the User Datagram Protocol (UDP) is one of the core communication protocols of the Internet protocol suite used to send messages to other hosts on an Internet Protocol (IP) network. Within an IP network, UDP does not require prior communication to set up communication channels or data paths.
Trivial File Transfer Protocol (TFTP) is a simple lockstep File Transfer Protocol which allows a client to get a file from or put a file onto a remote host. One of its primary uses is in the early stages of nodes booting from a local area network. TFTP has been used for this application because it is very simple to implement.
EtherType is a two-octet field in an Ethernet frame. It is used to indicate which protocol is encapsulated in the payload of the frame and is used at the receiving end by the data link layer to determine how the payload is processed. The same field is also used to indicate the size of some Ethernet frames.
OBEX is a communication protocol that facilitates the exchange of binary objects between devices. It is maintained by the Infrared Data Association but has also been adopted by the Bluetooth Special Interest Group and the SyncML wing of the Open Mobile Alliance (OMA). One of OBEX's earliest popular applications was in the Palm III. This PDA and its many successors use OBEX to exchange business cards, data, even applications.
SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded. A SOCKS server accepts incoming client connection on TCP port 1080, as defined in RFC 1928.
The Point-to-Point Protocol over Ethernet (PPPoE) is a network protocol for encapsulating Point-to-Point Protocol (PPP) frames inside Ethernet frames. It appeared in 1999, in the context of the boom of DSL as the solution for tunneling packets over the DSL connection to the ISP's IP network, and from there to the rest of the Internet. A 2005 networking book noted that "Most DSL providers use PPPoE, which provides authentication, encryption, and compression." Typical use of PPPoE involves leveraging the PPP facilities for authenticating the user with a username and password, via the PAP protocol or via CHAP. PAP was dominant in 2007 but service providers have been transitioning to the more secure CHAP, because PAP is a plain-text protocol. Around 2000, PPPoE was also starting to become a replacement method for talking to a modem connected to a computer or router over an Ethernet LAN displacing the older method, which had been USB. This use-case, connecting routers to modems over Ethernet is still extremely common today.
In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It uses encryption ('hiding') only for its own control messages, and does not provide any encryption or confidentiality of content by itself. Rather, it provides a tunnel for Layer 2, and the tunnel itself may be passed over a Layer 3 encryption protocol such as IPsec.
Modbus or MODBUS is a client/server data communications protocol in the application layer. It was originally published by Modicon in 1979 for use with its programmable logic controllers (PLCs). Modbus has become a de facto standard communication protocol for communication between industrial electronic devices in a wide range of buses and network.
CRC-based framing is a kind of frame synchronization used in Asynchronous Transfer Mode (ATM) and other similar protocols.
Real-Time Messaging Protocol (RTMP) is a communication protocol for streaming audio, video, and data over the Internet. Originally developed as a proprietary protocol by Macromedia for streaming between Flash Player and the Flash Communication Server, Adobe has released an incomplete version of the specification of the protocol for public use.
In computer networking, jumbo frames are Ethernet frames with more than 1500 bytes of payload, the limit set by the IEEE 802.3 standard. The payload limit for jumbo frames is variable: while 9000 bytes is the most commonly used limit, smaller and larger limits exist. Many Gigabit Ethernet switches and Gigabit Ethernet network interface controllers and some Fast Ethernet switches and Fast Ethernet network interface cards can support jumbo frames.
Silicon Graphics Image (SGI) or the RGB file format is the native raster graphics file format for Silicon Graphics workstations. The format was invented by Paul Haeberli. It can be run-length encoded (RLE). FFmpeg and ImageMagick, among others, support this format.
Cisco HDLC (cHDLC) is an extension to the High-Level Data Link Control (HDLC) network protocol, and was created by Cisco Systems, Inc. HDLC is a bit-oriented synchronous data link layer protocol that was originally developed by the International Organization for Standardization (ISO). Often described as being a proprietary extension, the details of cHDLC have been widely distributed and the protocol has been implemented by many network equipment vendors. cHDLC extends HDLC with multi-protocol support.
The Simple Sensor Interface (SSI) protocol is a simple communications protocol designed for data transfer between computers or user terminals and smart sensors.
In computer networking, an Ethernet frame is a data link layer protocol data unit and uses the underlying Ethernet physical layer transport mechanisms. In other words, a data unit on an Ethernet link transports an Ethernet frame as its payload.
Action Message Format (AMF) is a binary format used to serialize object graphs such as ActionScript objects and XML, or send messages between an Adobe Flash client and a remote service, usually a Flash Media Server or third party alternatives. The Actionscript 3 language provides classes for encoding and decoding from the AMF format.
Boot Service Discovery Protocol (BSDP) is an Apple-developed, standards-conforming extension of DHCP. It allows Macintosh computers to boot from bootable images on a network instead of local storage media such as CD, DVD, or hard disk. The DHCP options used are the "vendor-specific information" option and the "vendor class identifier" option . There are three versions of BSDP, though usually version 1.0 is used. All versions enable a client to choose from several bootable images offered by a server. The reference implementation of BSDP is Darwin's BOOTP server, which is part of Mac OS's NetBoot feature.
The Data Stream Interface (DSI) is a session layer used to carry Apple Filing Protocol traffic over Transmission Control Protocol.
DisplayID is a VESA standard for metadata describing display device capabilities to the video source. It is designed to replace E-EDID standard and EDID structure v1.4.