topic Re: AP in sniffer mode - UDP/17 - "IP Fragmented IP Protocol" in Wireless

AP in sniffer mode - UDP/17 - "IP Fragmented IP Protocol"

ahk000002 — Mon, 05 Jul 2021 15:43:47 GMT

HI everyone

I am trying to sniff 802.11 frames using a 1702i Access Point joined to my controller.

I followed the guide here: https://supportforums.cisco.com/t5/wireless-mobility-documents/collecting-a-wireless-sniffer-trace-using-the-cisco-lightweight/ta-p/3120458

I am using Wireshark.

The output I am receiving on my PC running Wireshark is not shown as intended. It appears to be fragmented. Then I decided to put the WLC, AP (in sniffer-mode) and the PC running Wireshark in the same layer 2, just to make sure my firewall did not fragment the packets, but my Wireshark still shows the packets as "IP Fragmented IP Protocol" UDP/17.

The WLC is running 8.5.120.0 and my Wireshark version is 2.6.1.

I am not using a capture filter.

Please see attached screenshot and drawing of my network.

Regards A

Re: AP in sniffer mode - UDP/17 - "IP Fragmented IP Protocol"

Scott Fella — Tue, 12 Jun 2018 14:13:21 GMT

You should use a capture filter for udp 5555 source and udp 5000 as the host. Or else you will see the fragment. Then you can use the display filters to look at only what you want to see.

Re: AP in sniffer mode - UDP/17 - "IP Fragmented IP Protocol"

ahk000002 — Tue, 12 Jun 2018 14:20:04 GMT

Hi Scott

Thanks for the quick reply! I am trying the capture filter "udp port 5555", but this filter does not show any packages at all.

I see attached screenshot.

Any advise?

Regards

Re: AP in sniffer mode - UDP/17 - "IP Fragmented IP Protocol"

patoberli — Wed, 13 Jun 2018 08:57:13 GMT

Can you show a screenshot with the capture filter disabled? Just to see how the packets look that you are receiving.
You capture on a wired interface on the computer, right?

Re: AP in sniffer mode - UDP/17 - "IP Fragmented IP Protocol"

ahk000002 — Wed, 13 Jun 2018 09:32:07 GMT

Hi Patoberli!

Thank you for taking your time to help 🙂

Yes I am capturing on the wired port on my PC.

See attached screenshot. The packets are just regular IP packets like I would except to see under normal circumstances if I just starts to capture traffic on my wired port.

In the meantime I tried using another 1700 series AP as my sniffer and another laptop as well. It is, sadly, still the issue persists. The packets from the WLC to my client is these wired "UDP/17 - Fragmented IP protocol" packets.

Re: AP in sniffer mode - UDP/17 - "IP Fragmented IP Protocol"

patoberli — Wed, 13 Jun 2018 09:36:49 GMT

Ok, your capture-snip.png looks good, that's the way it should look, if the decoding is not correctly configured.
If you right click one of those packets and select Decode as -> Transport -> Peekremote, how does it look?

Re: AP in sniffer mode - UDP/17 - "IP Fragmented IP Protocol"

patoberli — Wed, 13 Jun 2018 09:50:08 GMT

This is how it should look:

[cid:image001.png@01D4030B.267BACF0]

Only mind the top line.

In case the picture doesn't show, here once again.

Re: AP in sniffer mode - UDP/17 - "IP Fragmented IP Protocol"

ahk000002 — Thu, 14 Jun 2018 07:22:14 GMT

Hi again!

I managed to solve the issue. Apparently Symantec Endpoint Protection was messing up the packets. The AV is running a local IPS system on the host computers. It is setup under "Network and Host Exploit Mitigation Settings" of your client/server preference.

As soon as I disabled Symantec the packets were no longer fragmented.

Thank you everyone for your inputs and helpful comments!

Regards A