Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2139
Views
0
Helpful
2
Replies

Wireshark for AP in Sniffer mode

mheidemann
Level 1
Level 1

‎06-30-2011 05:27 AM - edited ‎07-03-2021 08:22 PM

Looking for instructions on how to configure Wireshark to capture wireless traffic from a liteweight AP thats configured in Sniffer mode. The controller/AP configuration is easy enough, but looking for specifics on Wireshark config.

Controller configuration:

http://www.cisco.com/en/US/docs/wireless/controller/5.2/configuration/guide/c52err.html#wp1042843

Labels:
0 Helpful
2 Replies 2

Nicolas Darchis
Cisco Employee
Cisco Employee

‎07-01-2011 12:24 AM

There is nothing much to do on wireshark.

Just start sniffing on your ethernet interface.

You will receive the stream from the AP.

Since the sniffed content has to be encapsulated to reach you, it's UDP 5000 unicasted to your laptop if my memory serves well.

Anyway, chose a packet and right clicjk "decode as". Chose "Airopeek".

Wirehsark will remove teh AP encapsulation and you will see the sniffed traffic just like the AP captured it.

0 Helpful

weterry
Level 4
Level 4
In response to Nicolas Darchis

‎07-01-2011 07:36 AM

Fair warning:

If UDP Port 5000 is not open on your Client, you will typically see an ICMP Unreachable sent for every single packet to your computer from the WLC   (so you could potentially flood your WLC with ICMP Unreachables).

I've never run into this being a problem with a single capture, but if you send multiple sniffer mode APs to wireshark, you could do some network congestion harm....

If you have a way to open port 5000, great.

If not, find a way to stop ICMP Unreachables from crossing the network? Then you have to do is filter out the ICMP Unreachables from the wireshark capture....

OR does someone know a trick to overcome this?

0 Helpful
Review Cisco Networking for a $25 gift card
Top