Wireshark for AP in Sniffer mode
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-30-2011 05:27 AM - edited 07-03-2021 08:22 PM
Looking for instructions on how to configure Wireshark to capture wireless traffic from a liteweight AP thats configured in Sniffer mode. The controller/AP configuration is easy enough, but looking for specifics on Wireshark config.
Controller configuration:
http://www.cisco.com/en/US/docs/wireless/controller/5.2/configuration/guide/c52err.html#wp1042843
- Labels:
-
Aironet Access Points
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-01-2011 12:24 AM
There is nothing much to do on wireshark.
Just start sniffing on your ethernet interface.
You will receive the stream from the AP.
Since the sniffed content has to be encapsulated to reach you, it's UDP 5000 unicasted to your laptop if my memory serves well.
Anyway, chose a packet and right clicjk "decode as". Chose "Airopeek".
Wirehsark will remove teh AP encapsulation and you will see the sniffed traffic just like the AP captured it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-01-2011 07:36 AM
Fair warning:
If UDP Port 5000 is not open on your Client, you will typically see an ICMP Unreachable sent for every single packet to your computer from the WLC (so you could potentially flood your WLC with ICMP Unreachables).
I've never run into this being a problem with a single capture, but if you send multiple sniffer mode APs to wireshark, you could do some network congestion harm....
If you have a way to open port 5000, great.
If not, find a way to stop ICMP Unreachables from crossing the network? Then you have to do is filter out the ICMP Unreachables from the wireshark capture....
OR does someone know a trick to overcome this?
