https://community.cisco.com/t5/wireless/client-packet-capture-question/m-p/2907819#M164343 <P>If your intention is to see secured SSID client <SPAN style="text-decoration: underline;"><STRONG>data</STRONG></SPAN> traffic while it goes from AP to WLC, that won't help.&nbsp;</P> <P>For a PSK secured SSID&nbsp;, you can decrypt as long as you capture full conversation including 4 way handshake. See below post on that</P> <P><A href="https://mrncciew.com/2014/08/16/decrypt-wpa2-psk-using-wireshark/">https://mrncciew.com/2014/08/16/decrypt-wpa2-psk-using-wireshark/</A></P> <P>If it is 802.1X SSID traffic, there is no way to decrypt &amp; see what's exactly in it.</P> <P></P> <P>Need to mention, once you capture WLC trunk port traffic you would able to see traffic goes to wired network (AP -&gt; <STRONG>WLC -&gt; Wired Network</STRONG>) from WLC, this traffic is not encrypted &amp; you would able to see that traffic.</P> <P></P> <P>HTH</P> <P>Rasika</P> <P>*** Pls rate all useful responses ***</P> Fri, 27 May 2016 19:59:06 GMT Rasika Nayanajith 2016-05-27T19:59:06Z https://community.cisco.com/t5/wireless/client-packet-capture-question/m-p/2907816#M164340 <P>If I have a client MAC address and I span WLC port and truy to capture client traffic in wireshark using client MAC will I be able to?&nbsp; Or will it only show me WLC's MAC?</P> Mon, 05 Jul 2021 12:07:54 GMT https://community.cisco.com/t5/wireless/client-packet-capture-question/m-p/2907816#M164340 ALIAOF_ 2021-07-05T12:07:54Z https://community.cisco.com/t5/wireless/client-packet-capture-question/m-p/2907817#M164341 <P>If that traffic is encrypted (eg 802.1X SSID &nbsp;or PSK) then you may not see client mac address.</P> <P>You will see AP &amp; WLC addresses in CAPWAP headers &amp; not client address. If it is open SSID traffic, you will see client address in Data section.</P> <P></P> <P>HTH</P> <P>Rasika</P> <P>*** Pls rate all useful responses ***&nbsp;</P> Thu, 26 May 2016 23:37:37 GMT https://community.cisco.com/t5/wireless/client-packet-capture-question/m-p/2907817#M164341 Rasika Nayanajith 2016-05-26T23:37:37Z https://community.cisco.com/t5/wireless/client-packet-capture-question/m-p/2907818#M164342 <P>Ah gotcha thank you for your reply.&nbsp; Would it make a difference if I trunk the port where AP is connected?&nbsp; One of my colleague was telling me that it is possible to see it by trunking the port on the AP and then spanning the WLC port.</P> <P>I'm inclined to believe we will get the same results however best way to capture client traffic would be to use some kind of WLAN packet capture or utilize the AP in sniffer mode or do a capture on the WLC itself.</P> Fri, 27 May 2016 11:48:46 GMT https://community.cisco.com/t5/wireless/client-packet-capture-question/m-p/2907818#M164342 ALIAOF_ 2016-05-27T11:48:46Z https://community.cisco.com/t5/wireless/client-packet-capture-question/m-p/2907819#M164343 <P>If your intention is to see secured SSID client <SPAN style="text-decoration: underline;"><STRONG>data</STRONG></SPAN> traffic while it goes from AP to WLC, that won't help.&nbsp;</P> <P>For a PSK secured SSID&nbsp;, you can decrypt as long as you capture full conversation including 4 way handshake. See below post on that</P> <P><A href="https://mrncciew.com/2014/08/16/decrypt-wpa2-psk-using-wireshark/">https://mrncciew.com/2014/08/16/decrypt-wpa2-psk-using-wireshark/</A></P> <P>If it is 802.1X SSID traffic, there is no way to decrypt &amp; see what's exactly in it.</P> <P></P> <P>Need to mention, once you capture WLC trunk port traffic you would able to see traffic goes to wired network (AP -&gt; <STRONG>WLC -&gt; Wired Network</STRONG>) from WLC, this traffic is not encrypted &amp; you would able to see that traffic.</P> <P></P> <P>HTH</P> <P>Rasika</P> <P>*** Pls rate all useful responses ***</P> Fri, 27 May 2016 19:59:06 GMT https://community.cisco.com/t5/wireless/client-packet-capture-question/m-p/2907819#M164343 Rasika Nayanajith 2016-05-27T19:59:06Z