cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
320
Views
5
Helpful
1
Replies
Highlighted
Beginner

OTA Packet Capture on 5520

Hi All-

I am working on troubleshooting some endpoint issues and am trying to do a Over the Air capture.   I am working off of this document that TAC sent me:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-7/config-guide/b_cg87/packet_capture.html#wireless-sniffing

I have a 5520 controller running 8.5.140.0 and two 3602 APs.  The APs are about 10 feet apart from each other.  One is local mode, the other is in "Sniffer" mode.  They are on the same channel.  I have a server running Wireshark and am seeing traffic on port 5555 from the controller. I am decoding it as PEEKREMOTE.  I have attached a screenshot from Wireshark of the traffic.

I see a lot of traffic between the controller and the APs of various types:  QOS Data, Beacon Frames, RTS, CTS ect.  What I don't see is packets to and from the client.  I was expecting to see standard client data such as HTTP, DNS, RTP etc.  I don't see any client IP addresses at all in the capture,  Am I doing something wrong?  Is my expectation wrong?  Am I misinterpreting what the feature is designed to do? 

 

Thanks

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Mentor

"I don't see any client IP addresses at all in the capture,  Am I doing something wrong?  Is my expectation wrong?  Am I misinterpreting what the feature is designed to do? "

What is the security setting of SSID ? is it PSK or 802.1X/EAP configured for SSID security? If it is PSK, you can decrypt it and see inner protocol detail like DHCP/DNS/HTTP,etc, see below post

https://mrncciew.com/2018/04/07/wifi-captures-with-sniffer-mode-ap/ 

 

All those frames QoS Data are the one carry user data (rest management & control  frames with no data payload)

 

HTH

Rasika

*** Pls rate all useful responses ***

View solution in original post

1 REPLY 1
Highlighted
VIP Mentor

"I don't see any client IP addresses at all in the capture,  Am I doing something wrong?  Is my expectation wrong?  Am I misinterpreting what the feature is designed to do? "

What is the security setting of SSID ? is it PSK or 802.1X/EAP configured for SSID security? If it is PSK, you can decrypt it and see inner protocol detail like DHCP/DNS/HTTP,etc, see below post

https://mrncciew.com/2018/04/07/wifi-captures-with-sniffer-mode-ap/ 

 

All those frames QoS Data are the one carry user data (rest management & control  frames with no data payload)

 

HTH

Rasika

*** Pls rate all useful responses ***

View solution in original post