cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2557
Views
0
Helpful
13
Replies

Wireless Sniffing - How to get to see the Payload?

chris-kaiser
Level 1
Level 1

Hello everybody. Im now trouble shooting a wireless problem. So i wannt to sniff the traffic from the device.

what ive done so far:

-set up a AP in sniffing mode

-redirected the traffic to my client.

-sniffing the traffic

i cann see the traffig on wireshark. but i cannot see the payload.

i should see the DHCP request and so on. but i cannot see this informations in wireshark.

all i see is source mac (my device) destination mac - broadcast.

i did it just like the how to told me to:

https://supportforums.cisco.com/docs/DOC-19214

what am i missing?

Thank You

Chris

13 Replies 13

Nigel Bowden
Level 2
Level 2

If you have any type of encryption used on the SSID, you won't see the payload as it's encrypted. You'll only see up to layer 2 (i.e. the WLAN headers)

If you have a PSK, it would be possible to put this in to Wireshark and decrypt the payload, but if you're using 802.1x, you cannot decrypt, as the encryption keys change constantly.

HTH.

Sent from Cisco Technical Support iPad App

Hello

Thank you for your answer!

but there is no encryption used. its a guest WLAN.

so this should not be the problem.

Chris,

The only other thing I can think of is that the frames are getting truncated somewhere.

Maybe you have sort of frame slicing configured in Wireshark to keep the capture size down?

Nigel.

Sent from Cisco Technical Support iPad App

Hello Nigel

thank you. i made some other misstakes. everything solved.

BUT now i have the problem, that i have the Data in wireshark.. but not ina huma readable state.

do you know how to change this?

wififofum
Level 4
Level 4

What are you using as the decoder for the frames? Are you using the AIROPEEK transport protocol?

Sent from Cisco Technical Support Android App

in Wireshark its called PEEKREMOTE. they changed it with the newer releases.

so yes. i decode with that

wififofum
Level 4
Level 4

That's right thank you. Any luck with the payload? Its been a while since I tried this.


Sent from Cisco Technical Support Android App

wififofum
Level 4
Level 4

I managed to get one going here. Is the sniffer mode AP close enough to clients connecting to nearby APs, and are you sniffing on the same channel as a nearby AP?


Sent from Cisco Technical Support Android App

yes. like e mentioned before, we see traffic. but the Data is not readable for us.

the goal is to sniff the WISPr Requests and hopefully the Response from IOS 7 Devices.

so i need to see the Data. an as far as i know this should be plain text.

Ok thanks.  Interesting, so this wouldn't be anything the controller would see in a client debug.  Did you see this link on the WISPr urls used in ios7? http://www.cadincweb.com/why-your-apple-ios-7-device-wont-connect-to-the-wifi-network

yes i saw that link and must tell that it is incorect. with IOS 7 Apple has now 200+ URLs for WISPr.

All i wanna see is if there is a WISPr Request and hopefully a answer and where is the answer from.

you can sniff the client connecting AP port using wireshark.

I seem to be seeing the same issue ; seeing sniffed mcast/broadcast packets from wireless clients - no unicast.

WLC is running 7.5.10.12 using (2) 3602s, 1 AP inFlexC mode, the other in sniffer mode.

I've tried using both 5G and 2.4G radios, making sure both clients and both APs are all matched.

I even used dropped that to only 2.4 and the available RF rates to max of  11M - the behavior never changes.

Using wireshark 1.10.5

Decoding packets as PEEKREMOTE.

Have set unset CAPWAP/LWWAP "swap control bit" - no difference

Enabled disabled CAPWAP "Cisco wireless controller support" - no difference

Perhaps a wireshark dissector issue? I'm seeing many/larger frames in these captures all decoded as:

IEEE 802.11 Unrecognized (Reserved frame), Flags: .........

Type/Subtype: Unknown (0x36)

Frame Control Field: 0x6c00

Curious if others with similar setup have this working correctly or not - ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: