IEEE 802.15.4 monitoring
Guardian Air monitors IEEE 802.15.4 radio traffic to identify Zigbee, ISA-100.11a, WirelessHART, and other low-power mesh network activity in the 2.4 GHz band.
Overview
Guardian Air uses a Nordic Semiconductor nRF module to monitor Institute of Electrical and Electronics Engineers (IEEE) 802.15.4 radio traffic. IEEE 802.15.4 is the physical and media access control layer used by several low-power, low-data-rate wireless protocols common in operational technology (OT) and building automation environments. Guardian Air performs channel hopping across all 16 channels in the 2.4 GHz band to observe traffic and infer devices from addresses seen in captured frames. Guardian Air synchronizes the data to Vantage for analysis.
Supported protocols
Guardian Air identifies the following application-layer protocols carried over IEEE 802.15.4.
| Protocol | Description |
|---|---|
| Zigbee | A mesh networking protocol widely used in building automation, smart lighting, and Internet of Things (IoT) devices. Guardian Air parses Zigbee network layer frames to extract network addresses. Topology visibility is partial and depends on observed traffic. |
| ISA-100.11a | An industrial wireless standard used in process automation and oil and gas environments. Guardian Air uses pattern-based detection to identify ISA-100.11a frames from field devices and access points. |
| WirelessHART | An industrial wireless protocol based on the Highway Addressable Remote Transducer (HART) protocol, used in process automation environments. Guardian Air identifies WirelessHART frames and extracts node and network information. |
| 6LoWPAN | Internet Protocol version 6 over Low-Power Wireless Personal Area Networks. Used by Thread and other protocols to enable internet protocol (IP) connectivity on constrained devices. Guardian Air detects 6LoWPAN header compression patterns. |
What Guardian Air discovers
During IEEE 802.15.4 monitoring, Guardian Air collects the following information for each detected network and device.
| Data point | Description |
|---|---|
| personal area network (PAN) ID | The PAN identifier that groups devices into a single wireless network. |
| Source address | The short (16-bit) or extended (64-bit) IEEE 802.15.4 address of the transmitting device. |
| Destination address | The address of the intended recipient of each frame. |
| Channel | The IEEE 802.15.4 channel (11 to 26) on which the frame was captured. |
| Frame type | The media access control (MAC) frame type: beacon, data, acknowledgement, or MAC command. |
| Security | Whether the frame has the 802.15.4 security header enabled, indicating encrypted payload. |
| Signal strength (received signal strength indicator (RSSI)) | The received signal strength of the frame in dBm. |
Channels monitored
Guardian Air hops across all 16 channels defined in the IEEE 802.15.4 2.4 GHz channel plan: channels 11 through 26. Each channel is 2 MHz wide, with 5 MHz spacing, covering the range 2405 MHz to 2480 MHz.
Hardware
IEEE 802.15.4 monitoring uses a Nordic Semiconductor nRF module connected
via universal serial bus (USB) (interface tty8021540). This module is separate from the
nRF module used for Bluetooth Low Energy (BLE) monitoring.