Wireshark is the world's foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions.

Wireshark can be used to decode ZigBee traffic dump prodiced by ZBOSS stack. MAC traffic dump.

Wireshark also can be used with DSR sniffer tool - see http://zboss.dsr-wireless.com/projects/zboss/wiki/ZBOSS_Sniffer.

Use fresh enough Wireshark to decode traffic dump produced by ZBOSS. Get Wireshark from https://www.wireshark.org/#download.

Run Wireshark.

Typical command line to run wireshark is:

wireshark aaa.pcap

Security keys.

Wireshark sniffer can decrypt packets. Also Wireshark can load key from Transport key command, but keys are not always sent by Transport key command. For correct decrypt need to add key to wireshark.

go to Edit->Preferences->Protocols->ZigBee NWK, set:
Security level - AES-128 encryption, 32-bit protection
Pre-configured keys - add all debug program used keys (note that key is reverted!).

Ad there APS keys as well.