Analyzing Zigbee Traffic: Datasets, Classification and Storage Trade-offs

TL;DR

This paper introduces a comprehensive analysis of Zigbee traffic, including a new dataset, classification challenges across configurations, and storage trade-offs, to improve IoT forensic capabilities.

Contribution

It provides the first large-scale, multi-configuration Zigbee dataset and evaluates classification robustness and storage compression techniques for traffic analysis.

Findings

High classification accuracy in controlled settings

Performance drops across different network configurations

Lossy compression reduces storage by 4-5x with minimal accuracy loss

Abstract

Zigbee is widely used in smart home environments due to its low power consumption and support for mesh networking, making it a relevant target for traffic-based IoT forensic analysis. However, existing studies often rely on limited datasets and fixed network configurations. In this paper, we analyze Zigbee network traffic from three complementary perspectives: data collection, traffic classification, and storage efficiency. We introduce ZIOTP2025, a publicly available dataset of Zigbee traffic collected from commercial smart home devices deployed under multiple network configurations and capturing realistic interaction scenarios. Using this dataset, we study two traffic classification tasks: device type classification and individual device identification, and evaluate their robustness under both intra-configuration and cross-configuration settings. Our results show that while high classification accuracy can be achieved under controlled conditions, performance degrades significantly when models are evaluated across different network configurations, particularly for fine-grained identification tasks. Finally, we investigate the trade-off between traffic storage requirements and classification accuracy. We show that lossy compression of traffic features through quantization can reduce storage requirements by approximately 4-5x compared to lossless storage of raw packet traces, while preserving near-lossless classification performance. Overall, our results highlight the need for topology-aware Zigbee traffic analysis and storage-efficient feature compression to enable robust and scalable IoT forensic systems.