AP Sniffer Mode

Answered Question
Feb 28th, 2009
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

Anyone have a good link on Sniffer AP mode?

Correct Answer by olivier.nicolas... about 8 years 3 weeks ago

Configure AP Sniffer mode as describe in the previous link.

The "Server IP address" is the address of the host where Wireshark is installed.

The WLC will sent UDP packets (with source port 5555) to the Wireshark host (with destination port 5000).

In Wireshark, follow the UDP stream and then decode UDP destination 5000 as "AIROPEEK" transport protocol.

You should now be able the see the frames captured by the AP on the selected channel.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
Leo Laohoo Sat, 02/28/2009 - 23:21
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Try this link:

http://www.cisco.com/en/US/docs/wireless/controller/5.1/command/reference/cli51c1.html#wp4762048


"It will capture and forward all the packets from the clients on that channel to a remote machine that runs AiroPeek (A packet analyzer for IEEE 802.11 wireless LANs). It will include information on timestamp, signal strength, packet size and so on."

George Stefanick Sun, 03/01/2009 - 05:36
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

Thank you .... its interesting ... it states other analyzers, but only the plug in for Airo...


"When the sniffer feature is enabled on an access point, it starts sniffing the signal on the given channel. It captures and forwards all the packets to the remote computer that runs Omnipeek, Airopeek, AirMagnet, or Wireshark. It includes information on timestamp, signal strength, packet size and so on.

Before an access point can act as a sniffer, a remote computer that runs one of the listed packet analysers must be set up so that it can receive packets sent by the access point. After the Airopeek installation, copy the following .dll files to the location where airopeek is installed."


Does this mean you need the Airo plug for all the other analyzer too?

Leo Laohoo Sun, 03/01/2009 - 13:48
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

I believe this is a .DLL plug-in. So yes.

Johannes Luther Mon, 03/02/2009 - 01:06
User Badges:

Has anyone ever managed to do Sniffer mode with Wireshark? If yes, please share how you did it - unfortunately the Cisco documentation is very poor about that.

Correct Answer
olivier.nicolas... Wed, 04/08/2009 - 11:34
User Badges:

Configure AP Sniffer mode as describe in the previous link.

The "Server IP address" is the address of the host where Wireshark is installed.

The WLC will sent UDP packets (with source port 5555) to the Wireshark host (with destination port 5000).

In Wireshark, follow the UDP stream and then decode UDP destination 5000 as "AIROPEEK" transport protocol.

You should now be able the see the frames captured by the AP on the selected channel.



George Stefanick Sat, 04/11/2009 - 19:10
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

getting closer! thank you for your reply!


Question, is there a link how to decode as AIROPEEK, so i can read up ? THANKS AGAIN!

George Stefanick Sat, 04/11/2009 - 19:16
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

i got it ... THANK YOU SO MUCH!



Actions

This Discussion