Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2524
Views
5
Helpful
1
Replies

OTA Packet Capture on 5520

Go to solution
Wes Schochet
Level 3
Level 3

‎05-20-2020 10:01 AM - edited ‎07-05-2021 12:04 PM

Hi All-

I am working on troubleshooting some endpoint issues and am trying to do a Over the Air capture.   I am working off of this document that TAC sent me:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-7/config-guide/b_cg87/packet_capture.html#wireless-sniffing

I have a 5520 controller running 8.5.140.0 and two 3602 APs.  The APs are about 10 feet apart from each other.  One is local mode, the other is in "Sniffer" mode.  They are on the same channel.  I have a server running Wireshark and am seeing traffic on port 5555 from the controller. I am decoding it as PEEKREMOTE.  I have attached a screenshot from Wireshark of the traffic.

I see a lot of traffic between the controller and the APs of various types:  QOS Data, Beacon Frames, RTS, CTS ect.  What I don't see is packets to and from the client.  I was expecting to see standard client data such as HTTP, DNS, RTP etc.  I don't see any client IP addresses at all in the capture,  Am I doing something wrong?  Is my expectation wrong?  Am I misinterpreting what the feature is designed to do? 

 

Thanks

 

Preview file
302 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rasika Nayanajith
VIP
VIP

‎05-20-2020 02:47 PM

"I don't see any client IP addresses at all in the capture,  Am I doing something wrong?  Is my expectation wrong?  Am I misinterpreting what the feature is designed to do? "

What is the security setting of SSID ? is it PSK or 802.1X/EAP configured for SSID security? If it is PSK, you can decrypt it and see inner protocol detail like DHCP/DNS/HTTP,etc, see below post

https://mrncciew.com/2018/04/07/wifi-captures-with-sniffer-mode-ap/ 

 

All those frames QoS Data are the one carry user data (rest management & control  frames with no data payload)

 

HTH

Rasika

*** Pls rate all useful responses ***

View solution in original post

1 Reply 1

Go to solution
Rasika Nayanajith
VIP
VIP

‎05-20-2020 02:47 PM

"I don't see any client IP addresses at all in the capture,  Am I doing something wrong?  Is my expectation wrong?  Am I misinterpreting what the feature is designed to do? "

What is the security setting of SSID ? is it PSK or 802.1X/EAP configured for SSID security? If it is PSK, you can decrypt it and see inner protocol detail like DHCP/DNS/HTTP,etc, see below post

https://mrncciew.com/2018/04/07/wifi-captures-with-sniffer-mode-ap/ 

 

All those frames QoS Data are the one carry user data (rest management & control  frames with no data payload)

 

HTH

Rasika

*** Pls rate all useful responses ***

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card