cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3895
Views
0
Helpful
1
Replies

AP Sniffer to Wireshark

jsmbrown
Level 1
Level 1

I recently set up an Access Point as a sniffer in the controller and told the b/g radio the IP address of the workstation running Wireshark.  I see packets coming from the controller in the packet capture.  However, those packets do not look like regular wireless packets.  I was hoping to see the beacons and such.  Is there a way to decode wireshark to leave off the controller headers?  Is there a plug-in for Wireshark I am missing to make the traces read as though my machine did the wireless sniff instead? 

1 Reply 1

jsmbrown
Level 1
Level 1

After more careful reading on similar posts, I found the answer - posted by Olivier Nicolas.  Thank you Olivier.

https://supportforums.cisco.com/message/1289396#1289396

They should include this in the documentation for the controller where they talk about setting up the AP and radio.

Configure AP Sniffer mode as describe in the previous link.

The  "Server IP address" is the address of the host where Wireshark is  installed.

The WLC will sent UDP packets (with source port 5555)  to the Wireshark host (with destination port 5000).

In Wireshark,  follow the UDP stream and then decode UDP destination 5000 as "AIROPEEK"  transport protocol.

You should now be able the see the frames  captured by the AP on the selected channel.

Review Cisco Networking for a $25 gift card