Sniffer mode cisco AP

 

Today I had an issue that one client couldn’t connect to an SSID while all the others have no issues. The wireless network there is working for more than 1 year without any issues.

I got the debugs from the controller and I saw that the client stopped talking to the AP and the WLC was de authenticating the client (that’s what I understand from the WLC logs and debugs [Sent Deauthenticate to mobile on BSSID…]) I was almost sure that this is a client issue (drivers etc as the issue was only for this client)

 

As I am in the preparation process for CWAP exam I thought that taking a capture would help me to understand what its going wrong.   

The only way to capture was to change an existing AP in sniffer mode as I couldn’t visit the customer due to this covid situation.

 

I tried to do it (set a neighbour AP in sniffer mode configure the channels and destination to send the capture) but unfortunately, I couldn’t see any packets in Wireshark.


That’s why I spent my night to setup a lab in order to make it work tomorrow 😊


Finally, I make it work and If you want to learn how it works you can take a beer and continue reading the “guide” below.

 

Firstly, you have to go in wireless tab and find the AP you want to change in sniffer mode.



Change the AP mode to sniffer. Now the AP will be lost from the controller and will return back in sniffer mode. (This takes around 2 3 minutes)

Note that when the AP operates in sniffer mode do not broadcasting ani SSID. ITS NOT SERVING CLIENTS.




Go to wireless -> Radios and select which band you want to sniff (2.4 or 5). Choose every band you want. You can choose both if you want



At the right of the screen find the configure




Enable Sniff check box

At the server Ip Address specify the PC with Wireshark (When enable Wireshark on this pc you will sniff on the ethernet nic)

Specify the channel

Do the same in the RF Channel Assignment



That’s was the steps in WLC site.

 

Open the PC with wireshark and start sniffing the ethernet card

The controller Is encapsulating the sniffed traffic into udp port 5555

You should see something like this. *Note: two times I faced a strange scenario where I couldn’t see any wireless traffic. I removed and reinstalled wireshark and the issue resolved



As a last step you have to decode this traffic as a peekremote

Go to Analyze tab, select Decode As. Select UDP, valu as 5555 and PEEKREMOTE.

 



You should now be able to see the wireless traffic like below.



Reference:

https://www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2016/pdf/BRKEWN-3000.pdf







Comments

Post a Comment

Popular posts from this blog

Upgrade WLC / Supplementary image

  Today I had to upgrade an AIROS cisco 2504 WLC. After checking if the APs are supported by the new recommended version I noticed that I had to install the supplementary image also. The reason was that 1602i APs wasn’t supported by the main image in 8.5.171.0 version. Due to image size cisco created separate file for some AP images called Supplementary AP Bundle image. Procedure:   Step 1:   Check the current WLC image (Cisco Controller) >show boot Primary Boot Image............................... 8.3.150.0 (default) (active) Backup Boot Image................................ 8.0.152.0 Step 2: Upload the new image ( AIR-CT2500-K9-8-5-171-0.aes ) I did the below procedure via HTTPS. Verify (Cisco Controller) >show boot Primary Boot Image............................... 8.5.171.0 (default) Backup Boot Image................................ 8.3.150.0 (active) Step 3: Check Supported APs of the new version (Cisco Controller) >show ap bundle primary Primary Version
Read more

Converting lightweigh to standalone AP and vice versa

Connect with console cable to the cisco AP Default credentials Username : cisco Password: Cisco You can find the AP image type by running the command show version When the AP image ends with k9w8 means the AP is lightweight When the AP image ends with k9w7 means the AP is Standalone AP7cad.74ff.975e> sho version Cisco IOS Software, C3700 Software (AP3G2-K9W8-M), Version 15.3(3)JK2, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2020 by Cisco Systems, Inc. Compiled Wed 01-Apr-20 04:25 by prod_rel_team ROM: Bootstrap program is C3700 boot loader BOOTLDR: C3700 Boot Loader (AP3G2-BOOT-M) LoaderVersion 15.2(4)JB, RELEASE SOFTWARE (fc1) AP7cad.74ff.975e uptime is 5 minutes System returned to ROM by power-on System image file is "flash:/ap3g2- k9w8 -mx.153-3.JK2/ap3g2-k9w8-xx.153-3.JK2" Last reload reason: Reason Not Known To convert the AP from lightweight to standalone please follow the below pro
Read more

ISE Direct Upgrade URT

Run Upgrade Readiness Tool (URT) to validate config DB upgrade from 2.7,3.0,3.1 to 3.2. This is a signed bundle for image integrity (ise-urtbundle-3.2.0.542a-1.0.0.SPA.x86_64.tar.gz) In this case i am running ise 3.1 patch 7 and will upgrade to 3.2 As we are running an HA the URT need to run on secondary admin node. Got the below error once i tried to run it on Primary Checking ISE persona ======================================================   - Failed (URT can only be run on Secondary Admin Node or Standalone % Application install or upgrade cancelled. ise03/admin# ====================================================== *Note When you need to run it on secondary note, you have to generate on secondary the key (crypto host_key add host 10.10.10.10) and then you can run the URT. Below is URT logging ise04/adMIN# application install ise-urtbundle-3.2.0.542a-1.0.0.SPA.x86_64.tar.gz  ""SFTP-SRV01"" Save the current ADE-OS running configuration? (yes/no) [yes] ? yes Gen
Read more