Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
649
Views
10
Helpful
5
Replies

Wi-Fi sniffing across multiple APs using wireshark

KRanji
Level 1
Level 1

‎07-19-2021 07:47 AM

Hello:

I am working on a project to understand customer movement/crowding by capturing wi-fi probe requests. As they move, the probe requests will be captured from different APs. We setup wireshark to capture the wi-fi packets, and tested it against one AP. Currently, the architecture is setup as follows:

 

AP sends wi-fi packets in sniffer mode to WLC, and WLC forwards it to wireshark.

 

We would like to extend the capture across multiple APs. The challenge we face is identifying individual APs from where the probes originated. Since we are getting the packets from WLC, we don't get the IP address of the AP, but the IP address of WLC as our source. Is there any way to identify/differentiate the requests from different APs? 

 

For example, can I change the UDP port number from the default 5555 to something different for each APs? That way I can sniff multiple ports and map each port to a different AP. Or are there any details in the packets that can give me a hint of where the data is coming from?

 

Thanks in advance.

 

Regards,

Kishan.

 

 

5 Replies 5

JPavonM
VIP
VIP

‎07-19-2021 08:38 AM

Enable Aironet extension on the SSID to announce AP Name to be able to identify every beacon?

HTH

- Jesus

KRanji
Level 1
Level 1
In response to JPavonM

‎07-19-2021 02:39 PM

Jesus:

 

Thank you for your suggestion. We have it enabled APs to announce SSID, but that doesn't help our use case. We are capturing probe requests (UDP packets) and since there's no traceability from one packet to the other, I was not able to connect a packet with beacon data to another packet with probe request with any certainty, especially when more than one AP dumps these packets to the client via WLC.

 

I could be wrong and if anyone knows a way to reliably follow a beacon to a probe request, I would be grateful.

 

Thanks,

Kishan.

0 Helpful

JPavonM
VIP
VIP
In response to KRanji

‎07-19-2021 10:38 PM - edited ‎07-19-2021 10:38 PM

Probe requests trigger probe responses in those APs been able to listen it, but they do not trigger beacons so you cannot trace back to them.

In Wireshark you can use this filter (wlan.fc.type_subtype == 4 or wlan.fc.type_subtype == 5) to isolate those packets, and see that a probe request is followed by some probe responses looking for the timestamp of the packet, ther is no other way.

By the way, you can use Metageek's EyePA to perform packet captures in all channels in a single area without having to turn on packet sniffing in all your APs as in that mode, they won't be responding any probe request nor sending any beacon.

HTH

- Jesus

0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni

‎07-19-2021 01:59 PM

By default airopeek protocol uses port 5555. 

 

You may need to have multiple devices running wireshark if you need to differentiate between AP's. For eg:

Sniffer AP 1 - 192.168.1.1

Sniffer AP 2 - 192.168.1.2

Sniffer AP X - 192.168.1.X

 

By the way why are using sniffer AP's, you can simply do a debug client or radio active trace depending on the platform to see which AP client is trying to associate to.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

patoberli
VIP Alumni
VIP Alumni

‎07-21-2021 02:00 AM

You might also want to consider the Cisco CMX solution, which is basically a product that more or less is utilizing this for added value services. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card