Ubiqua decodes all protocols used by Thread such as IEEE 802.15.4-2006, 6LowPAN, UDP, DTLS, CoAP, DHCPv6 and MLE. To easily distinguish between protocols, each of them has a different color (see Traffic View).
Ubiqua can decrypt Thread packets that use IEEE 802.15.4 2006 security (MAC Layer) and MLE encryption.
There are three types of keys used by Ubiqua, Thread Master Key, MLE key and MAC key to decode Thread packets. With the keychain used to storage all keys, a Thread Master Key can be used to derive a MLE or MAC key, and if the decrypting process is successful the MLE and MAC keys will also be stored on the keychain.
Thread uses a lot of network data information to manage the generation of the ipv6 addresses and to identify the devices into the networks that work as border routers, commissioners or collapsed devices. Ubiqua collects this network data to generate IPv6 networks addresses (stateful using 6lowpan context id and stateless), etc. this information is displayed in the Graphic View.
Ubiqua is capable to show the topology by partition ID used in Thread. If a capture has several partitions into the same PAN ID and channel, Ubiqua arranges the partitions by order of creation. The image below shows a topology formed by 3 different partitions.
Ubiqua's Thread support adds a tab in the Packet View called "Decompressed". This tab shows the decompressed IP Header (from 6lowpan layer).
In Thread a specific node's behavior is very dynamic and the data of several packets needs to be analyzed to show the topology, addressing, security and behavior context. Ubiqua's Thread Packet View implements more than just a simple decoder by also showing information derived from previous packets to help engineers to easily analyze the capture.
Some times you start a capture after the encryption Keys have been exchanged, and although Ubiqua performs a fair job in trying to get them for you, some times the traffic does no allow for it. In these cases you can make use of the "Generate" feature as follows: First click theTools-> Options Menu, to show then Options window , select the "Security" Icon and then the "Keychain" tab. From the right side of the Keychain tab a column with 5 buttons will appear, click the "Generate" button to show the "Generate Keys" window. Input the known values for the "Thread Master Key", "Sequence Counter" and "SC Message" fields and finally click the "Generate Keys" button. You will see the 2 new keys in the output section ("IEEE 802.15.4 2006 Key" and the "Thread Network Key"). To save the Keys in the Keychain click the "Add Generated Keys" button or click "Cancel" to close the Generate Keys Window.
6LowPan packets contain UDP ports that indicate how to decode the payload, Ubiqua knows how to decode a handful of UDP ports either as MLE, COAP, DTLS or another custom application protocol. However there could be some UDP ports that are application-defined to decode as COAP or DTLS and Ubiqua does not decode as such. For these cases, there is a COAP/DTLS custom UDP port feature in Options where the user can tell Ubiqua to treat a specific UDP of a 6LowPAN as either COAP or DTLS. To add the COAP/DTLS port number to your ‘Custom COAP Ports’ list. Click the Tools > Options menu item and then select the Protocols tab, in the tab body click the Thread expander, following this action you will be presented with the ‘Custom COAP Ports’ and the ‘Custom DTLS Ports’ columns, in both of them you will see a list of the default ports already handled by Ubiqua, these are composed by the port number followed by a ‘(Fixed)’ postfix tag, the ports added by the user just show the port number. You can add and delete COAP and DTLS ports, note that the default ports cannot be deleted. Once you have added a port to one of the 2 lists, this won't be able to be added to the other list, to do so you have to delete it from the list where it is, and then add it to the other list. Please note that if a packet is already decoded in Traffic View, you will not see the changes until the packet is re-decoded again, clicking on the packet in Traffic View or reloading the entire capture is the easiest way to re-decode it.
The COAP payload data can be decoded and displayed in the Packet View in CBOR, JSON, XML or TEXT format. After the packet is decoded and shown in the Traffic View, click on a Thread packet and see its information in the Packet View, a third tab with the ‘COAP Payload Viewer’ label will be added to the window, click on this tab and you will be able to see the Payload body message in formats like CBOR, JSON, XML or TEXT. At the bottom right of the window there is a dropdown menu with a list of formats in which you can display your payload, you can change the format of the content message selecting the different options of the dropdown menu. For CBOR data, if the message cannot be decoded in that format an error message will be displayed.