Solved: Re: AP in sniffer mode - UDP/17 - "IP Fragmented IP Protocol"

ahk000002 · ‎06-12-2018

HI everyone

I am trying to sniff 802.11 frames using a 1702i Access Point joined to my controller.

I followed the guide here: https://supportforums.cisco.com/t5/wireless-mobility-documents/collecting-a-wireless-sniffer-trace-using-the-cisco-lightweight/ta-p/3120458

I am using Wireshark.

The output I am receiving on my PC running Wireshark is not shown as intended. It appears to be fragmented. Then I decided to put the WLC, AP (in sniffer-mode) and the PC running Wireshark in the same layer 2, just to make sure my firewall did not fragment the packets, but my Wireshark still shows the packets as "IP Fragmented IP Protocol" UDP/17.

The WLC is running 8.5.120.0 and my Wireshark version is 2.6.1.

I am not using a capture filter.

Please see attached screenshot and drawing of my network.

Regards A

ahk000002 · ‎06-14-2018

Hi again!

I managed to solve the issue. Apparently Symantec Endpoint Protection was messing up the packets. The AV is running a local IPS system on the host computers. It is setup under "Network and Host Exploit Mitigation Settings" of your client/server preference.

As soon as I disabled Symantec the packets were no longer fragmented.

Thank you everyone for your inputs and helpful comments!

Regards A

View solution in original post

Scott Fella · ‎06-12-2018

You should use a capture filter for udp 5555 source and udp 5000 as the host. Or else you will see the fragment. Then you can use the display filters to look at only what you want to see.

-Scott
*** Please rate helpful posts ***

ahk000002 · ‎06-12-2018

Hi Scott

Thanks for the quick reply! I am trying the capture filter "udp port 5555", but this filter does not show any packages at all.

I see attached screenshot.

Any advise?

Regards

patoberli · ‎06-13-2018

Can you show a screenshot with the capture filter disabled? Just to see how the packets look that you are receiving.
You capture on a wired interface on the computer, right?

ahk000002 · ‎06-13-2018

Hi Patoberli!

Thank you for taking your time to help :-)

Yes I am capturing on the wired port on my PC.

See attached screenshot. The packets are just regular IP packets like I would except to see under normal circumstances if I just starts to capture traffic on my wired port.

In the meantime I tried using another 1700 series AP as my sniffer and another laptop as well. It is, sadly, still the issue persists. The packets from the WLC to my client is these wired "UDP/17 - Fragmented IP protocol" packets.

patoberli · ‎06-13-2018

Ok, your capture-snip.png looks good, that's the way it should look, if the decoding is not correctly configured.
If you right click one of those packets and select Decode as -> Transport -> Peekremote, how does it look?

patoberli · ‎06-13-2018

This is how it should look:

[cid:image001.png@01D4030B.267BACF0]

Only mind the top line.

In case the picture doesn't show, here once again.

ahk000002 · ‎06-14-2018

Hi again!

I managed to solve the issue. Apparently Symantec Endpoint Protection was messing up the packets. The AV is running a local IPS system on the host computers. It is setup under "Network and Host Exploit Mitigation Settings" of your client/server preference.

As soon as I disabled Symantec the packets were no longer fragmented.

Thank you everyone for your inputs and helpful comments!

Regards A