All the information on this page is gathered from the official Zabbix documentation about the protocols and the upgrade notes. I’m using this information to assist with the Zabbix protocol dissector development in Wireshark, thus not all possible protocol change details will be documented here but mostly only those that affect the dissector.
Server-proxy data exchange protocol with passive proxy
| New in Zabbix version | Changes |
|---|---|
| 6.4 | ◾ The “proxy config” request flow was rewritten to support incremental configuration updates |
| 5.4 | ◾ “proxy data” request was changed to contain interface availability data instead of host availability data |
| 4.0 | ◾ Server-proxy connection is now compressed ◾ “ proxy data” request was changed to have a data session token “session“ |
| 3.4 | ◾ Separate “host availability“, “history data“, “discovery data” and “auto registration” requests were replaced by single “proxy data” request that also contains “version” field for proxy version |
| Older versions | No public documentation available |
Server-proxy data exchange protocol with active proxy
| New in Zabbix version | Changes |
|---|---|
| 6.4 | ◾ “proxy heartbeat” message was removed◾ “ session” and “config_revision” fields were added in the “proxy config” request to support incremental configuration updates |
| 5.4 | ◾ “proxy data” request was changed to contain interface availability data instead of host availability data |
| 5.0 | ◾ “upload” field was added in the “proxy data” response from server (it was not present in 5.2 documentation but again present in 5.4, I’ll assume that is a typo) |
| 4.0 | ◾ Server-proxy connection is now compressed ◾ “ proxy data” request was changed to have a data session token “session“ |
| 3.4 | ◾ “version” field was added in “proxy heartbeat” request◾ Separate “ host availability“, “history data“, “discovery data” and “auto registration” requests were replaced by single “proxy data” request that also contains “version” field for proxy version |
| Older versions | No public documentation available |
Zabbix protocol header
| Zabbix versions | Header structure |
|---|---|
| 4.0 and newer | Protocol “ZBXD” (4 bytes) Flags (1 byte): ◾ 0x01 = Zabbix communications protocol ◾ 0x02 = compression ◾ 0x04 = large packet Data length (4 bytes, or 8 bytes if large packet) Reserved (4 bytes, or 8 bytes if large packet) Total: 13 bytes (or 21 bytes if large packet) |
| Up to and including 3.4 | Header “ZBXD\x01” (5 bytes) Data length (8 bytes) Total: 13 bytes |
Note that the pre-4.0 protocol header is actually compatible with the later specification because the fifth byte is always 0x01 (like the “Zabbix communications protocol” flag in the newer versions), and the last 4 bytes of the 8-byte length field are zero.
Zabbix agent protocol syntax with passive agent
| Zabbix versions | Request/response format |
|---|---|
| 4.0 and newer | Server/proxy request: <Zabbix header><item key>\nAgent response: <Zabbix header><response data>[\0<error message>](where [] part is present only when error occurred) |
| 2.4 – 3.4 | Server/proxy request: <item key>\nAgent response: <Zabbix header><response data>[\0<error message>](where [] part is present only when error occurred) |
| Up to and including 2.2 | Server/proxy request: <item key>\nAgent response: <Zabbix header><response data> |
Zabbix agent protocol syntax with active agent
| Zabbix versions | Request/response format |
|---|---|
| 6.2 and newer | Agent request: <Zabbix header><request contents as JSON>(with the “ request” field set as “active checks“, “agent data” or “active check heartbeat“)Server/proxy response: <Zabbix header><response contents as JSON>(with the “ response” field set as “success” or “failed“) |
| Up to and including 6.0 | Agent request: <Zabbix header><request contents as JSON>(with the “ request” field set as “active checks” or “agent data“)Server/proxy response: <Zabbix header><response contents as JSON>(with the “ response” field set as “success” or “failed“) |
Zabbix sender/trapper protocol syntax
| Zabbix versions | Request/response format |
|---|---|
| All documented Zabbix versions | Sender request: <Zabbix header><request contents as JSON>(with the “ request” field set as “sender data“)Server/proxy response: <Zabbix header><response contents as JSON>(with the “ response” field set as “success” or “failed“) |