Wireshark for AP in Sniffer mode

mheidemann · ‎06-30-2011

Looking for instructions on how to configure Wireshark to capture wireless traffic from a liteweight AP thats configured in Sniffer mode. The controller/AP configuration is easy enough, but looking for specifics on Wireshark config.

Controller configuration:

http://www.cisco.com/en/US/docs/wireless/controller/5.2/configuration/guide/c52err.html#wp1042843

Nicolas Darchis · ‎07-01-2011

There is nothing much to do on wireshark.

Just start sniffing on your ethernet interface.

You will receive the stream from the AP.

Since the sniffed content has to be encapsulated to reach you, it's UDP 5000 unicasted to your laptop if my memory serves well.

Anyway, chose a packet and right clicjk "decode as". Chose "Airopeek".

Wirehsark will remove teh AP encapsulation and you will see the sniffed traffic just like the AP captured it.

weterry · ‎07-01-2011

Fair warning:

If UDP Port 5000 is not open on your Client, you will typically see an ICMP Unreachable sent for every single packet to your computer from the WLC (so you could potentially flood your WLC with ICMP Unreachables).

I've never run into this being a problem with a single capture, but if you send multiple sniffer mode APs to wireshark, you could do some network congestion harm....

If you have a way to open port 5000, great.

If not, find a way to stop ICMP Unreachables from crossing the network? Then you have to do is filter out the ICMP Unreachables from the wireshark capture....

OR does someone know a trick to overcome this?