Sniffing wireless is possible with a usual Wireshark taken on the wireless adapter. However, you will notbe able to sniff raw 802.11 frames. Rather some layer 2 frames, layer 3 frames and above and no promiscuous mode. This means you miss most of the stuff you want to see with a wireless trace. The following sections will explain you how to sniff via wireless. Most of the products are not free currently but some solutions exist. An important thing to be aware of is that when you are taking your wireless trace with a dedicated tool, you cannot use your wireless adapter for anything else. This means that you often need an extra laptop dedicated to sniffing, or you can have 2 adapters on the same laptop : one for sniffing and one for associating with the network.
Also it can sometimes be seen that wireshark will sniff all traffic on wireless adapter and on promiscuous mode but this totally depends on clients drivers. Rare are the drivers allowing this.
Important Note about LWAPP/CAPWAP packets
It is important to note that by default, you will see the content of LWAPP/CAPWAP packets as scrambled data. You just have to go (in wireshark) to Edit -> Preferences. Then you click on “Protocols”, on “LWAPP” (or CAPWAP) and enable the only checkbox present “control bit swap”.
This will enable you to view the content of the LWAPP/CAPWAP packet, i.e. the wireless frame encapsulated inside the LWAPP/CAPWAP. This is very useful to check for example if the QoS markings of the wireless frame are present and if they are kept outside of the encapsulation as well …
Wireshark 1.4 and later is needed to decrypt CAPWAP.
This obviously concern wired sniffed traffic since CAPWAP occurs between AP and WLC.
AP in sniffer mode (LWAPP/CAPWAP)
On a controller, you can change an access point mode to "sniffer". If you apply that change, it will reboot.
Once it joins back, you will be able to configure a channel to sniff for that AP and also your laptop ip address. The idea is that the AP will tunnel all the traffic to your PC.
It's encapsulated in UDP 5555. so in summary you have an ip header (from AP, to your laptop), a UDP 5555 header and inside, the wireless frame (802.11 layer 2) sniffed by the AP.
Open the trace and go to "analyze", then "decode as" and switch to UDP 5555, to decode the trace as "airopeek". The trace is in fact sent from the WLC management IP with UDP source port 5555, to the IP address of the PC (configured under the AP's settings) with UDP destination port 5000.
This is a live linux distribution. This means that you just have to boot on the CD and run the tool and you have nothing to install. This distribution is freely available.
The interesting part is that it supports the intel 3945 chipset, which is the one present in many laptops
You put the CD in the drive, reboot the PC. WifiWay proposes you to chose your timezone, keyboard type and so on… Once you get the command shell, you can boot the X-window with “startx”.
Then by clicking the small black square in the lower left part of the screen, you get a terminal screen. You can type “cd /home/wireless” and then “airoway.sh”. This starts several windows that show you the surrounding devices and access points. It also has a tool to start attacks against APs. This also sets the driver for the wifi adapter.
Then you can either start Wireshark or run “airodump” which is also in the “/home/wireless” directory. The command is :
Airodump wifi0 capture 6
This will use the adapter wifi0, write the sniffer trace to capture.cap and will scan only channel 6.
Hi Guys, i have configured a suest porta integrated with aziure SSO.I followed this link: https://community.cisco.com/t5/security-documents/ise-byod-flow-using-azure-ad/ta-p/4400675 if i test from portal test it looks like working fine but ...
Hi,Having some problems creating a new fabric ssid in dnac 188.8.131.52. I have already created 3 fabric ssids that works, but i might have forgot a step for this last one (obviously). * Have created the new SSID and attached it to the same profile ...
Not working my access point 9115.I have an access point and it show; Mounting UBI device fsubi0: attaching mtd3ubi0: scanning is finishedubi0: attached mtd3 (name "mtd=2", size 1017 MiB)ubi0: PEB size: 262144 bytes (256 KiB), LEB size: 253952 bytesub...
I am migrating our access point from a 5508 controller to a new 9800 controller.To try an speed up the change over I have been pre-downloading the new 9800 image to the APs using the "archive download" command on the AP and then pushing the AP to the new ...
Good dayI would like to ask a question.Can an AP be recovered from one management account and transferred to another?I work in a school and the network administrator who worked here before me, did not provide the access information of the APs and now they...