Alina Colceriu
Ixia Senior Application Protocol Engineer

Apache ZAB—Zookeeper Atomic Broadcast Protocol

June 15, 2016 by Alina Colceriu

What is ZooKeeper?

“ZooKeeper allows distributed processes to coordinate with each other through a shared hierarchical namespace which is organized similarly to a standard file system.” – ZooKeeper Wiki

The name space consists of znodes, which are similar to files and directories. To get a ZooKeeper distribution, download a recent stable release from one of the Apache Download Mirrors. You can setup your ZooKeeper servers to run in cluster mode, or simple standalone mode. Once you have your ZooKeeper server up and running, you can connect to it through CLI and start running commands.

What is ZAB

ZAB stands for ZooKeeper Atomic Broadcast and it’s the protocol used by ZooKeeper. It has a similar goal with other replication protocols like Paxos and Raft. All of these protocols are used for replicating transactions while guaranteeing consistency, which means once a transaction is to be considered as committed, it will never get lost as long as a majority of machines are working correctly.

We identified two types of communications related to ZooKeeper:

  1. Messages exchanged between servers (e.g., during leader election)
  2. Messages exchanged between a client and a ZooKeeper server (e.g., commands like create, modify, or delete znodes)

Now, Ixia ATI supports the ZAB protocol so that the users can emulate the communication between a client and a ZooKeeper server.

ZAB Client Messages

A ZooKeeper client-server communication begins with a connect request from the client, coming over a TCP connection. The client can negotiate only the Timeout value with the server. For security reasons, it has to send password as "\x00"*16, and session ID as 0.


The server responds with the session ID, password, and the timeout value, that the client has to follow.

To keep the connection alive, the client sends Ping requests, followed by Ping replies from the server, containing the zxid (ZooKeeper Transaction Id) of the last committed transaction.


A client can perform the following types of operations on a znode:



Create a znode named zk_test and associate the string “my_data” to it:


See what the directory looks like:


Delete the node:


Clients can also set watches (NodeCreated, NodeDeleted, NodeDataChanged, NodeChildrenChanged). Changes to a znode trigger the watch and the ZooKeeper server sends the client a notification.

ZAB Server Messages

Each command from the client is followed by a server reply.


Also, the server can send the client notifications triggered by a watch event.


Wireshark support

Wirehark doesn’t support ZAB, but, luckily, it allows users to write their own dissectors for a specific protocol. Thus, we have implemented our very own ZAB dissector that you can find here.

Besides our Wireshark dissector, we’ve also added a ZAB signature to our ATI Processor product. This support will give you visibility into how much of your traffic is being used for ZAB and allow you to make intelligent decisions on such traffic.

Leverage Subscription Service to Stay Ahead of Attacks

The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.