Sniffer mode cisco AP
Today I had an issue that one client couldn’t connect to an
SSID while all the others have no issues. The wireless network there is working
for more than 1 year without any issues.
I got the debugs from the controller and I saw that the client
stopped talking to the AP and the WLC was de authenticating the client (that’s what
I understand from the WLC logs and debugs [Sent Deauthenticate to mobile on
BSSID…]) I was almost sure that this is a client issue (drivers etc as the
issue was only for this client)
As I am in the preparation process for CWAP exam I thought
that taking a capture would help me to understand what its going wrong.
The only way to capture was to change an existing AP in
sniffer mode as I couldn’t visit the customer due to this covid situation.
I tried to do it (set a neighbour AP in sniffer mode
configure the channels and destination to send the capture) but unfortunately, I
couldn’t see any packets in Wireshark.
That’s why I spent my night to setup a lab in order to make
it work tomorrow 😊
Finally, I make it work and If you want to learn how it
works you can take a beer and continue reading the “guide” below.
Firstly, you have to go in wireless tab and find the AP you
want to change in sniffer mode.
Change the AP mode to sniffer. Now the AP will be lost from
the controller and will return back in sniffer mode. (This takes around 2 3
minutes)
Note that when the AP operates in sniffer mode do not broadcasting
ani SSID. ITS NOT SERVING CLIENTS.
Go to wireless -> Radios and select which band you want
to sniff (2.4 or 5). Choose every band you want. You can choose both if you want
At the right of the screen find the configure
Enable Sniff check box
At the server Ip Address specify the PC with Wireshark (When
enable Wireshark on this pc you will sniff on the ethernet nic)
Specify the channel
Do the same in the RF Channel Assignment
That’s was the steps in WLC site.
Open the PC with wireshark and start sniffing the ethernet
card
The controller Is encapsulating the sniffed traffic into udp port 5555
You should see something like this. *Note: two times I faced
a strange scenario where I couldn’t see any wireless traffic. I removed and
reinstalled wireshark and the issue resolved
As a last step you have to decode this traffic as a
peekremote
Go to Analyze tab, select Decode As. Select UDP, valu as
5555 and PEEKREMOTE.
You should now be able to see the wireless traffic like
below.
Reference:
https://www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2016/pdf/BRKEWN-3000.pdf
Comments
Post a Comment