Important
Wireshark version 4.1.0rc0 and newer (since August 2023) already has Zabbix protocol dissector built in. Using the Lua scripts in this repo are thus no more needed or useful. These scripts will not be developed any further. For any problems or feature requests with the built-in dissector please go to Wireshark repository in gitlab.com and open an issue there.
Experimental Wireshark dissectors for Zabbix protocol. Can be used for inspecting the Zabbix server, proxy or agent communication, especially with Zabbix 4.0 and later, where the proxy connections use compressed data.
- Capture the packet data (using tcpdump/tshark/Wireshark/other on the Zabbix server, proxy and/or agent, or on the firewall between the components)
- Install Wireshark
- Install these dissectors (see below)
- Open the capture file(s) in Wireshark and investigate your data
- Use display filters to your advantage (see below)
Tested with various versions, like:
- Zabbix 4.0.0, 4.0.9, 4.0.14, 4.4.4, 6.2.0, 6.4.0beta4
- Wireshark (on 64-bit Windows) 2.6.x, 3.0.2, 3.2.1, 3.6.6, 4.0.2
- (not in all combinations but to give you an idea)
Use at your own risk.
See the commit history for the changes.
- Go to
%APPDATA%\Wireshark
folder - Create
plugins
folder if it does not exist yet, and go there - Copy the
.lua
files there (alternatively you can also create a subfolder and place the files there, or clone this repo under theplugins
folder) - If Wireshark is already running, use Analyze - Reload Lua Plugins (Ctrl-Shift-L)
- Enable TCP protocol setting Allow subdissector to reassemble TCP streams to give you correct output when requests/responses do not fit in one IP packet
- Edit Zabbix protocol preferences as needed (in Preferences - Protocols, or by right-clicking in Zabbix/ZabbixAgent packets in capture window)
You can use the provided sample capture files to test the dissectors. For the display filters:
- Use
zabbix or zabbixagent
to show only Zabbix protocol messages (zabbix
is the protocol that is used with port 10051 in Zabbix,zabbixagent
is the passive agent protocol in port 10050) - Use
zabbix.agent
(orzabbix.proxy
) to show only agent (proxy) messages - Use
zabbix.agent.activechecks == 1
to show the active agents requesting for items to check for - Use
zabbix.agent.data == 1
to show the active agents sending data to Zabbix server/proxy - Try
zabbix.agent.name
as a column zabbix.datalen
always returns the uncompressed length, regardless of compression or TCP reassembly in use or not
Add a column for zabbix.time or zabbixagent.time
to display the time between
request and response. (You can even set it to
zabbix.time or zabbixagent.time or icmp.resptime or icmpv6.resptime or http.time or dns.time
and so on to show your other response times in the same column.)
See the Zabbix protocol tree in captured packets to see other fields that are
available for filtering, or go to View - Internals - Supported Protocols and
filter for Zabbix to see all the registered fields. Or just enter zabbix.
or
zabbixagent.
in the display filter and browse the list.
TLS decryption can be used if configured properly in Wireshark and also in capturing (session keys are needed at least with TLS 1.3, see for example https://security.stackexchange.com/questions/215358/extracting-openssl-pre-master-secret-from-apache2/215397#215397). The provided TLS samples include the session keys embedded in the capture files (https://wiki.wireshark.org/TLS#Embedding_decryption_secrets_in_a_pcapng_file).
- Code assumes Zabbix-generated "compact" form of JSON (no extra spaces or line feeds)
- Not all Zabbix component combinations have been tested or implemented
- Large packet support (used for multi-gigabyte proxy configurations as of 7/2022) is implemented
with separate
zabbix.large.*
fields - Lua dissector performance is not as good as in C dissectors, but is quite adequate when using moderately-sized capture files
- Wireshark can/will crash if a Lua dissector field is used in a custom column, and you reload the Lua plugins or you change to a profile using those custom fields (workaround for the latter is to select the profile before opening any capture file in Wireshark); see http://wireshark.marwan.ma/lists/wireshark-dev/201508/msg00059.html