[!IMPORTANT] Wireshark version 4.1.0rc0 and newer (since August 2023) already has Zabbix protocol dissector built in. Using the Lua scripts in this repo are thus no more needed or useful. These scripts will not be developed any further. For any problems or feature requests with the built-in dissector please go to Wireshark repository in gitlab.com and open an issue there.
Experimental Wireshark dissectors for Zabbix protocol. Can be used for inspecting the Zabbix server, proxy or agent communication, especially with Zabbix 4.0 and later, where the proxy connections use compressed data.
Tested with various versions, like:
Use at your own risk.
See the commit history for the changes.
%APPDATA%\Wireshark
folderplugins
folder if it does not exist yet, and go there.lua
files there (alternatively you can also create a subfolder and
place the files there, or clone this repo under the plugins
folder)You can use the provided sample capture files to test the dissectors. For the display filters:
zabbix or zabbixagent
to show only Zabbix protocol messages (zabbix
is the protocol that
is used with port 10051 in Zabbix, zabbixagent
is the passive agent protocol in port 10050)zabbix.agent
(or zabbix.proxy
) to show only agent (proxy) messageszabbix.agent.activechecks == 1
to show the active agents requesting for items
to check forzabbix.agent.data == 1
to show the active agents sending data to Zabbix server/proxyzabbix.agent.name
as a columnzabbix.datalen
always returns the uncompressed length, regardless of
compression or TCP reassembly in use or notAdd a column for zabbix.time or zabbixagent.time
to display the time between
request and response. (You can even set it to
zabbix.time or zabbixagent.time or icmp.resptime or icmpv6.resptime or http.time or dns.time
and so on to show your other response times in the same column.)
See the Zabbix protocol tree in captured packets to see other fields that are
available for filtering, or go to View - Internals - Supported Protocols and
filter for Zabbix to see all the registered fields. Or just enter zabbix.
or
zabbixagent.
in the display filter and browse the list.
TLS decryption can be used if configured properly in Wireshark and also in capturing (session keys are needed at least with TLS 1.3, see for example https://security.stackexchange.com/questions/215358/extracting-openssl-pre-master-secret-from-apache2/215397#215397). The provided TLS samples include the session keys embedded in the capture files (https://wiki.wireshark.org/TLS#Embedding_decryption_secrets_in_a_pcapng_file).
zabbix.large.*
fields