Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1390
Views
5
Helpful
3
Replies

Client Packet capture question

Go to solution
ALIAOF_
Level 6
Level 6

‎05-26-2016 06:03 AM - edited ‎07-05-2021 05:07 AM

If I have a client MAC address and I span WLC port and truy to capture client traffic in wireshark using client MAC will I be able to?  Or will it only show me WLC's MAC?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rasika Nayanajith
VIP Alumni
VIP Alumni
In response to ALIAOF_

‎05-27-2016 12:59 PM

If your intention is to see secured SSID client data traffic while it goes from AP to WLC, that won't help. 

For a PSK secured SSID , you can decrypt as long as you capture full conversation including 4 way handshake. See below post on that

https://mrncciew.com/2014/08/16/decrypt-wpa2-psk-using-wireshark/

If it is 802.1X SSID traffic, there is no way to decrypt & see what's exactly in it.

Need to mention, once you capture WLC trunk port traffic you would able to see traffic goes to wired network (AP -> WLC -> Wired Network) from WLC, this traffic is not encrypted & you would able to see that traffic.

HTH

Rasika

*** Pls rate all useful responses ***

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rasika Nayanajith
VIP Alumni
VIP Alumni

‎05-26-2016 04:37 PM

If that traffic is encrypted (eg 802.1X SSID  or PSK) then you may not see client mac address.

You will see AP & WLC addresses in CAPWAP headers & not client address. If it is open SSID traffic, you will see client address in Data section.

HTH

Rasika

*** Pls rate all useful responses *** 

Go to solution
ALIAOF_
Level 6
Level 6
In response to Rasika Nayanajith

‎05-27-2016 04:48 AM

Ah gotcha thank you for your reply.  Would it make a difference if I trunk the port where AP is connected?  One of my colleague was telling me that it is possible to see it by trunking the port on the AP and then spanning the WLC port.

I'm inclined to believe we will get the same results however best way to capture client traffic would be to use some kind of WLAN packet capture or utilize the AP in sniffer mode or do a capture on the WLC itself.

0 Helpful

Go to solution
Rasika Nayanajith
VIP Alumni
VIP Alumni
In response to ALIAOF_

‎05-27-2016 12:59 PM

If your intention is to see secured SSID client data traffic while it goes from AP to WLC, that won't help. 

For a PSK secured SSID , you can decrypt as long as you capture full conversation including 4 way handshake. See below post on that

https://mrncciew.com/2014/08/16/decrypt-wpa2-psk-using-wireshark/

If it is 802.1X SSID traffic, there is no way to decrypt & see what's exactly in it.

Need to mention, once you capture WLC trunk port traffic you would able to see traffic goes to wired network (AP -> WLC -> Wired Network) from WLC, this traffic is not encrypted & you would able to see that traffic.

HTH

Rasika

*** Pls rate all useful responses ***

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card