TZSP

TaZman Sniffer Protocol (TZSP) is an encapsulation protocol used to wrap other protocols. It is commonly used to wrap 802.11 wireless packets to support Intrusion Detection Systems (IDS), wireless tracking, or other wireless applications.

Protocol Summary

A number of 802.11 sensors and Access Points use the TZSP protocol for packet capture. It is an open protocol that was designed to encapsulate other protocols over UDP. The primary use for this protocol has been the capture of wireless traffic and transmission of them over a wired network.

Protocol Header

The protocol specified three parts to each TZSP packet: A 4-byte header followed by one or more tagged fields, the last of which has to be the TAG_END(0x01), and finally the encapsulated data.

Version

The TZSP version should always be set to 1 (0x01).

Type

0 (0x00) Received tag list 1 (0x01) Packet for transmit 2 (0x02) Reserved 3 (0x03) Configuration 4 (0x04) Keepalive 5 (0x05) Port opener

Encapsulated Protocol

1 (0x01) Ethernet 18 (0x12) IEEE 802.11 119 (0x77) Prism Header 127 (0x7F) WLAN AVS

Tagged Fields

The tagged fields consist of a one-byte tag type, followed by a one-byte tag length, followed by a variable amount of data. The tag length does not include the tag type or tag length. All TZSP compatible decoders should skip unknown tagged fields.

<1 unsigned byte > Tag Type <1 unsigned byte > Tag Length Dependent on Tag Length

There are two exceptions to this format. First, when a TAG_END (0x01) is received it is the end of all of the tagged fields. It DOES NOT have a Tag length nor any associated data. The second is the TAG_PADDING (0x00). This can be inserted at any point and should be ignored. It DOES NOT have a tag length nor any tag data.

The following are the valid TZSP tag types:

TAG_PADDING = 0 (0x00)

This special tagged field has neither tag length nor any tag data. The receiver should ignore it. It is sometimes used to pack the frame to a word boundary.

TAG_END = 1 (0x01)

This special tagged field has neither tag length nor any tag data. This means that there are no more tags. Following this tag, until the end of the UDP packet, is the encapsulated frame. This is the only tag that is required and must be included before the encapsulated data. No variable tags can follow this one.

TAG_RAW_RSSI = 10 (0x0A)

This field contains the raw RSSI obtained from the sensor. The data is either a signed byte or signed short.

TAG_SNR = 11 (0x0B)

This field contains the raw noise obtained from the sensor. The data is either a signed byte or signed short.

TAG_DATA_RATE = 12 (0x0C)

This field contains the data rate the encapsulated packet was transmitted at.

The following are valid values that can be used:

2 (0x02) = 1MB/s 4 (0x04) = 2MB/s 11 (0x0B) = 5.5MB/s 12 (0x0C) = 6MB/s 18 (0x12) = 9MB/s 22 (0x16) = 11MB/s 24 (0x18) = 12MB/s 36 (0x24) = 18MB/s 44 (0x2C) = 22MB/s 48 (0x30) = 24MB/s 66 (0x42) = 33MB/s 72 (0x48) = 36MB/s 96 (0x60) = 48MB/s 108 (0x6C) = 54MB/s

The following are old constants that may be used in old Prism-based sensors. A TZSP decoder should be able to be decoded them but should NOT used in a TZSP encoder:

10 (0x0A) = 1MB/s 20 (0x14) = 2MB/s 55 (0x37) = 5.5MB/s 110 (0x6E) = 11MB/s

TAG_TIMESTAMP = 13 (0x0D)

This is the time the sensor MAC received the packet. It is a 4-byte unsigned int.

TAG_CONTENTION_FREE = 15 (0x0F)

This is used to tell if the packet was sent in a contention free period. It is a 1-byte unsigned byte.

TAG_DECRYPTED = 16 (0x10)

This used to tell if the packet was decrypted. It is a 1-byte unsigned byte.

TAG_FCS_ERROR = 17 (0x11)

This is used to tell if the packet had an Frame Check Sequence(FCS) error in reception. It is a 1-byte unsigned byte. A one (0x01) specifies that there was an FCS error on the decoding of the packet. A zero (0x00), or the exclusion of this field means that there was no decoding error. All other values are reserved.

TAG_RX_CHANNEL = 18 (0x12)

This is the channel that that the sensor was on when it captured the packet. It is NOT the channel that the packet was transmitted on. This is stored as an unsigned byte.

TAG_PACKET_COUNT = 40 (0x28)

This is a monotonically increasing packet count. It is stored as a four byte unsigned int.

TAG_RX_FRAME_LENGTH = 41 (0x29)

This is the received packet length. It is not necessarily the size of retransmitted packet, which may have been truncated. This is stored as a two byte unsigned short.

TAG_WLAN_RADIO_HDR_SERIAL = 60 (0x3C)

This is used by some sensor vendors to specify the serial number or other unique identifier for the sensor or AP that captured the packet. The is a variable length field.

Encapsulated Packet

The encapsulated packet should be stored immediately after the tagged fields. This encapsulated packet may be truncated from the original full packet size and does not need to be the same size as specified in the TAG_RX_FRAME_LENGTH field It is assume that the encapsulated packet takes up the entire rest of the UDP packet.

Open Source Support

* Snort
* Wireshark [ [http://www.wireshark.org/docs/dfref/t/tzsp.html Wireshark: Display Filter Reference: Tazmen Sniffer Protocol ] ]

References