All the information on this page is gathered from the official Zabbix documentation about the protocols and the upgrade notes. I’m using this information to assist with the Zabbix protocol dissector development in Wireshark, thus not all possible protocol change details will be documented here but mostly only those that affect the dissector.
Version history:
- 2024-06-04: Added the changes in Zabbix 7.0
- 2024-07-17: Added “
proxy tasks” request for passive proxy in Zabbix 3.4+
Server-proxy data exchange protocol with passive proxy
| New in Zabbix version | Changes |
|---|---|
| 6.4 | ◾ The “proxy config” request flow was rewritten to support incremental configuration updates |
| 5.4 | ◾ “proxy data” request was changed to contain interface availability data instead of host availability data |
| 4.0 | ◾ Server-proxy connection is now compressed ◾ “ proxy data” request was changed to have a data session token “session“ |
| 3.4 | ◾ Separate “host availability“, “history data“, “discovery data” and “auto registration” requests were replaced by single “proxy data” request that also contains “version” field for proxy version◾ “ proxy tasks” request was added (undocumented until 2024) |
| Older versions | No public documentation available |
Server-proxy data exchange protocol with active proxy
| New in Zabbix version | Changes |
|---|---|
| 6.4 | ◾ “proxy heartbeat” message was removed◾ “ session” and “config_revision” fields were added in the “proxy config” request to support incremental configuration updates |
| 5.4 | ◾ “proxy data” request was changed to contain interface availability data instead of host availability data |
| 5.0 | ◾ “upload” field was added in the “proxy data” response from server (it was not present in 5.2 documentation but again present in 5.4, I’ll assume that is a typo) |
| 4.0 | ◾ Server-proxy connection is now compressed ◾ “ proxy data” request was changed to have a data session token “session“ |
| 3.4 | ◾ “version” field was added in “proxy heartbeat” request◾ Separate “ host availability“, “history data“, “discovery data” and “auto registration” requests were replaced by single “proxy data” request that also contains “version” field for proxy version |
| Older versions | No public documentation available |
Zabbix protocol header
| Zabbix version | Header structure |
|---|---|
| 4.0 and newer | Protocol “ZBXD” (4 bytes) Flags (1 byte): ◾ 0x01 = Zabbix communications protocol ◾ 0x02 = compression ◾ 0x04 = large packet Data length (4 bytes, or 8 bytes if large packet) Reserved, or the original data length if compression was used (4 bytes, or 8 bytes if large packet) Total: 13 bytes (or 21 bytes if large packet) |
| Up to and including 3.4 | Header “ZBXD\x01” (5 bytes) Data length (8 bytes) Total: 13 bytes |
Note that the pre-4.0 protocol header is actually compatible with the later specification because the fifth byte is always 0x01 (like the “Zabbix communications protocol” flag in the newer versions), and the last 4 bytes of the 8-byte length field are zero.
Zabbix agent protocol syntax with passive agent
| New in Zabbix version | Request/response format |
|---|---|
| 7.0 | Server/proxy request: <Zabbix header>(with the “Agent response: <Zabbix header> (where the response has “version” and “data” fields)Note: There is fallback mechanism in the server/proxy: If the (pre-7.0) agent returns “ZBX_NOTSUPPORTED” response, server/proxy reverts to pre-7.0 protocol for an hour. |
| 4.0 | Server/proxy request: <Zabbix header><item key>\nAgent response: <Zabbix header><response data>[\0<error message>](where [] part is present only when error occurred) |
| 2.4 | Server/proxy request: <item key>\nAgent response: <Zabbix header><response data>[\0<error message>](where [] part is present only when error occurred) |
| Up to and including 2.2 | Server/proxy request: <item key>\nAgent response: <Zabbix header><response data> |
Zabbix agent protocol syntax with active agent
| New in Zabbix version | Request/response format |
|---|---|
| 7.0 | ◾ “key_orig” field was removed from the active checks response items◾ “ commands” array and “timeout” fields were added in the active checks responses◾ “ commands” array and “host“, “version” and “variant” fields were added in the agent data requests◾ “ version” and “variant” fields were added in the agent heartbeat requests◾ “ redirect” response was added in the protocol (currently undocumented as of 7.0.0) |
| 6.2 | ◾ “active check heartbeat” request was added |
| Up to and including 6.0 | Agent request: <Zabbix header><request contents as JSON>(with the “ request” field set as “active checks” or “agent data“)Server/proxy response: <Zabbix header><response contents as JSON>(with the “ response” field set as “success” or “failed“) |
Zabbix sender/trapper protocol syntax
| New in Zabbix version | Request/response format |
|---|---|
| 5.0 | ◾ “data” array items added “ns” field (when also “clock” is used) |
| Up to and including 4.4 | Sender request: <Zabbix header><request contents as JSON>(with the “ request” field set as “sender data” and “data” array set with the data)Server/proxy response: <Zabbix header><response contents as JSON>(with the “ response” field set as “success” or “failed“) |