06-12-2018 06:51 AM - edited 07-05-2021 08:43 AM
HI everyone
I am trying to sniff 802.11 frames using a 1702i Access Point joined to my controller.
I followed the guide here: https://supportforums.cisco.com/t5/wireless-mobility-documents/collecting-a-wireless-sniffer-trace-using-the-cisco-lightweight/ta-p/3120458
I am using Wireshark.
The output I am receiving on my PC running Wireshark is not shown as intended. It appears to be fragmented. Then I decided to put the WLC, AP (in sniffer-mode) and the PC running Wireshark in the same layer 2, just to make sure my firewall did not fragment the packets, but my Wireshark still shows the packets as "IP Fragmented IP Protocol" UDP/17.
The WLC is running 8.5.120.0 and my Wireshark version is 2.6.1.
I am not using a capture filter.
Please see attached screenshot and drawing of my network.
Regards A
Solved! Go to Solution.
06-14-2018 12:22 AM
Hi again!
I managed to solve the issue. Apparently Symantec Endpoint Protection was messing up the packets. The AV is running a local IPS system on the host computers. It is setup under "Network and Host Exploit Mitigation Settings" of your client/server preference.
As soon as I disabled Symantec the packets were no longer fragmented.
Thank you everyone for your inputs and helpful comments!
Regards A
06-12-2018 07:13 AM
06-12-2018 07:20 AM
06-13-2018 01:57 AM
06-13-2018 02:32 AM
Hi Patoberli!
Thank you for taking your time to help :-)
Yes I am capturing on the wired port on my PC.
See attached screenshot. The packets are just regular IP packets like I would except to see under normal circumstances if I just starts to capture traffic on my wired port.
In the meantime I tried using another 1700 series AP as my sniffer and another laptop as well. It is, sadly, still the issue persists. The packets from the WLC to my client is these wired "UDP/17 - Fragmented IP protocol" packets.
06-13-2018 02:36 AM
06-13-2018 02:39 AM - edited 06-13-2018 02:50 AM
06-14-2018 12:22 AM
Hi again!
I managed to solve the issue. Apparently Symantec Endpoint Protection was messing up the packets. The AV is running a local IPS system on the host computers. It is setup under "Network and Host Exploit Mitigation Settings" of your client/server preference.
As soon as I disabled Symantec the packets were no longer fragmented.
Thank you everyone for your inputs and helpful comments!
Regards A
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide