AP Sniffer to Wireshark

Unanswered Question
Apr 8th, 2010

I recently set up an Access Point as a sniffer in the controller and told the b/g radio the IP address of the workstation running Wireshark.  I see packets coming from the controller in the packet capture.  However, those packets do not look like regular wireless packets.  I was hoping to see the beacons and such.  Is there a way to decode wireshark to leave off the controller headers?  Is there a plug-in for Wireshark I am missing to make the traces read as though my machine did the wireless sniff instead? 

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jsmbrown Fri, 04/09/2010 - 05:58

After more careful reading on similar posts, I found the answer - posted by Olivier Nicolas.  Thank you Olivier.


They should include this in the documentation for the controller where they talk about setting up the AP and radio.

Configure AP Sniffer mode as describe in the previous link.

The  "Server IP address" is the address of the host where Wireshark is  installed.

The WLC will sent UDP packets (with source port 5555)  to the Wireshark host (with destination port 5000).

In Wireshark,  follow the UDP stream and then decode UDP destination 5000 as "AIROPEEK"  transport protocol.

You should now be able the see the frames  captured by the AP on the selected channel.


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode