Change History for Zabbix Protocols

All the information on this page is gathered from the official Zabbix documentation about the protocols and the upgrade notes. I’m using this information to assist with the Zabbix protocol dissector development in Wireshark, thus not all possible protocol change details will be documented here but mostly only those that affect the dissector.

Version history:

  • 2024-06-04: Added changes in Zabbix 7.0

Server-proxy data exchange protocol with passive proxy

New in Zabbix versionChanges
6.4◾ The “proxy config” request flow was rewritten to support incremental configuration updates
5.4◾ “proxy data” request was changed to contain interface availability data instead of host availability data
4.0◾ Server-proxy connection is now compressed
◾ “proxy data” request was changed to have a data session token “session
3.4◾ Separate “host availability“, “history data“, “discovery data” and “auto registration” requests were replaced by single “proxy data” request that also contains “version” field for proxy version
Older versionsNo public documentation available

Server-proxy data exchange protocol with active proxy

New in Zabbix versionChanges
6.4◾ “proxy heartbeat” message was removed
◾ “session” and “config_revision” fields were added in the “proxy config” request to support incremental configuration updates
5.4◾ “proxy data” request was changed to contain interface availability data instead of host availability data
5.0◾ “upload” field was added in the “proxy data” response from server (it was not present in 5.2 documentation but again present in 5.4, I’ll assume that is a typo)
4.0◾ Server-proxy connection is now compressed
◾ “proxy data” request was changed to have a data session token “session
3.4◾ “version” field was added in “proxy heartbeat” request
◾ Separate “host availability“, “history data“, “discovery data” and “auto registration” requests were replaced by single “proxy data” request that also contains “version” field for proxy version
Older versionsNo public documentation available

Zabbix protocol header

Zabbix versionHeader structure
4.0 and newerProtocol “ZBXD” (4 bytes)
Flags (1 byte):
◾ 0x01 = Zabbix communications protocol
◾ 0x02 = compression
◾ 0x04 = large packet
Data length (4 bytes, or 8 bytes if large packet)
Reserved (4 bytes, or 8 bytes if large packet)
Total: 13 bytes (or 21 bytes if large packet)
Up to and including 3.4Header “ZBXD\x01” (5 bytes)
Data length (8 bytes)
Total: 13 bytes

Note that the pre-4.0 protocol header is actually compatible with the later specification because the fifth byte is always 0x01 (like the “Zabbix communications protocol” flag in the newer versions), and the last 4 bytes of the 8-byte length field are zero.

Zabbix agent protocol syntax with passive agent

New in Zabbix versionRequest/response format
7.0Server/proxy request: <Zabbix header><request contents as JSON>
(with the “request” field set as “passive checks“)
Agent response: <Zabbix header><response contents as JSON> (where the response has “version” and “data” fields)
Note: There is fallback mechanism in the server/proxy: If the (pre-7.0) agent returns “ZBX_NOTSUPPORTED” response, server/proxy reverts to pre-7.0 protocol for an hour.
4.0Server/proxy request: <Zabbix header><item key>\n
Agent response: <Zabbix header><response data>[\0<error message>]
(where [] part is present only when error occurred)
2.4Server/proxy request: <item key>\n
Agent response: <Zabbix header><response data>[\0<error message>]
(where [] part is present only when error occurred)
Up to and including 2.2Server/proxy request: <item key>\n
Agent response: <Zabbix header><response data>

Zabbix agent protocol syntax with active agent

New in Zabbix versionRequest/response format
7.0◾ “key_orig” field was removed from the active checks response items
◾ “commands” array and “timeout” fields were added in the active checks responses
◾ “commands” array and “host“, “version” and “variant” fields were added in the agent data requests
◾ “version” and “variant” fields were added in the agent heartbeat requests
◾ “redirect” response was added in the protocol (currently undocumented as of 7.0.0)
6.2◾ “active check heartbeat” request was added
Up to and including 6.0Agent request: <Zabbix header><request contents as JSON>
(with the “request” field set as “active checks” or “agent data“)
Server/proxy response: <Zabbix header><response contents as JSON>
(with the “response” field set as “success” or “failed“)

Zabbix sender/trapper protocol syntax

New in Zabbix versionRequest/response format
5.0◾ “data” array items added “ns” field (when also “clock” is used)
Up to and including 4.4Sender request: <Zabbix header><request contents as JSON>
(with the “request” field set as “sender data” and “data” array set with the data)
Server/proxy response: <Zabbix header><response contents as JSON>
(with the “response” field set as “success” or “failed“)
Updated: June 4, 2024 — 21:25

Leave a Reply