cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
5121
Views
12
Helpful
11
Replies
Rising star

How to use wireshark to decode WLC Packet capture

Hello,

I am using the WLC packet capture feature (refer to the link below) to capture the traffic from a client.

http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/consolidated/b_cg74_CONSOLIDATED_chapter_01101111.html

My setup is as below.

(Cisco Controller) >show ap packet-dump status

Packet Capture Status............................ Stopped

FTP Server IP Address............................ x.x.x.x

FTP Server Path.................................. \

FTP Server Username.............................. xxxxxx

FTP Server Password.............................. ********

Buffer Size for Capture.......................... 2048 KB

Packet Capture Time.............................. 2 Minutes

Packet Truncate Length........................... 300 Bytes

Packet Capture Classifier........................ IP

I captured the packets successfully but the problem is that Wireshark did not decode it correctly (refer to the screenshot below). Does anyone use this feature before? If yes, how could I decode it and see the IP address TCP/UDP port info.

Thanks for your help.

-Kevin

11 REPLIES 11

How to use wireshark to decode WLC Packet capture

check and make sure you have the swap frame control enabled.

Edit > Preferences > CAPWAP  I'd also check LWAPP as well

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
Rising star

How to use wireshark to decode WLC Packet capture

Thanks Stephen.

Tried but It wounldn't help.

How to use wireshark to decode WLC Packet capture

For reference is your wireshark configured like this ?

http://wifinigel.blogspot.com/2012/04/decoding-cisco-capwap-with-wireshark.html

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Highlighted
Rising star

How to use wireshark to decode WLC Packet capture

Thanks George. Yes, I did configure Wireshark the same way.

In the link you provided, the packet was captured from switch between WLC and AP, so the packet for sure is encapsulated in CAPWAP frame.

But the feature which I am using might capture the packet between AP and client since it can capture beacons and probe response as well. The WLAN is ocnfigured to use WPA-PSK, so, I enable IEEE 802.11 decrytion as well with the correct PSK but it still did not help. I am suspecting if I did not convert PSK from ASCII to Hex correctly or something else. It got be some way to decode it otherwise this feature would be useless for troubleshooting.

Rising star

How to use wireshark to decode WLC Packet capture

Figured it out finally based on the following link.

http://wiki.wireshark.org/HowToDecrypt802.11

1. 4 EAPOL handshake packets must be captured

2. "Ignore the Protection bit" set to "Yes - with IV"

But unfortunately, I only see traffic in one direction, not sure why.

Rising star

How to use wireshark to decode WLC Packet capture

Thanks for Sharing the solution. For your other problem you should check the below link again.

http://wifinigel.blogspot.com/2012/04/decoding-cisco-capwap-with-wireshark.html

Beginner

Did you ever figure out why

Did you ever figure out why captured traffic was unidirectional? I'm seeing the same issue

Beginner

David, Did you ever figure

David, Did you ever figure out your Uni-directional issue? I have the same issue, strange.

Beginner

I wish... I've had to settle

I wish... I've had to settle for a one-sided capture since I haven't opened a TAC case yet

Beginner

Hi Ken,

Hi Ken,

I found out half an answer

it seems like if you mess with the wireshark protocol preferences for IEEE 802.11

you have the option for "ignore the protection bit" either as "no", "Yes - without IV" and "Yes - with IV"

looks like if you set it to "Yes - With IV" you will see the client side of communication properly decoded and if you switch it to "Yes - without IV" you will get the server side properly decoded

I am not sure what the setting actually does beyond ignoring the protection bit and I have a TAC case open as well. maybe i'll get to the bottom of this

Re: Hi Ken,

Did you ever get an answer or a solution to this?

 

Regards

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards