cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4503
Views
10
Helpful
7
Replies

AP in sniffer mode - UDP/17 - "IP Fragmented IP Protocol"

ahk000002
Beginner
Beginner

HI everyone 

 

I am trying to sniff 802.11 frames using a 1702i Access Point joined to my controller.

I followed the guide here: https://supportforums.cisco.com/t5/wireless-mobility-documents/collecting-a-wireless-sniffer-trace-using-the-cisco-lightweight/ta-p/3120458

 

I am using Wireshark. 

The output I am receiving on my PC running Wireshark is not shown as intended. It appears to be fragmented. Then I decided to put the WLC, AP (in sniffer-mode) and the PC running Wireshark in the same layer 2, just to make sure my firewall did not fragment the packets, but my Wireshark still shows the packets as "IP Fragmented IP Protocol" UDP/17. 

 

The WLC is running 8.5.120.0 and my Wireshark version is 2.6.1.

I am not using a capture filter. 

Please see attached screenshot and drawing of my network. 

 

Regards A

1 Accepted Solution

Accepted Solutions

Hi again! 

 

I managed to solve the issue. Apparently Symantec Endpoint Protection was messing up the packets. The AV is running a local IPS system on the host computers. It is setup under "Network and Host Exploit Mitigation Settings" of your client/server preference. 

 

As soon as I disabled Symantec the packets were no longer fragmented. 

 

Thank you everyone for your inputs and helpful comments! 

 

Regards A

View solution in original post

7 Replies 7

Scott Fella
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru
You should use a capture filter for udp 5555 source and udp 5000 as the host. Or else you will see the fragment. Then you can use the display filters to look at only what you want to see.
-Scott
*** Please rate helpful posts ***

Hi Scott

 

Thanks for the quick reply! I am trying the capture filter "udp port 5555", but this filter does not show any packages at all.

 

I see attached screenshot.

 

Any advise?

 

Regards

Can you show a screenshot with the capture filter disabled? Just to see how the packets look that you are receiving.
You capture on a wired interface on the computer, right?

Hi Patoberli! 

 

Thank you for taking your time to help :-) 

 

Yes I am capturing on the wired port on my PC. 

See attached screenshot. The packets are just regular IP packets like I would except to see under normal circumstances if I just starts to capture traffic on my wired port.

 

In the meantime I tried using another 1700 series AP as my sniffer and another laptop as well. It is, sadly, still the issue persists. The packets from the WLC to my client is these wired "UDP/17 - Fragmented IP protocol" packets.

Ok, your capture-snip.png looks good, that's the way it should look, if the decoding is not correctly configured.
If you right click one of those packets and select Decode as -> Transport -> Peekremote, how does it look?

This is how it should look:

[cid:image001.png@01D4030B.267BACF0]

Only mind the top line.

In case the picture doesn't show, here once again.

Hi again! 

 

I managed to solve the issue. Apparently Symantec Endpoint Protection was messing up the packets. The AV is running a local IPS system on the host computers. It is setup under "Network and Host Exploit Mitigation Settings" of your client/server preference. 

 

As soon as I disabled Symantec the packets were no longer fragmented. 

 

Thank you everyone for your inputs and helpful comments! 

 

Regards A

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers