11-05-2009 10:52 AM - edited 07-03-2021 06:14 PM
Okay I set a LAP-1242 out in the wild in "Sniffer" mode.
What I cant figure out is how do I get to the actual data it is sniffing. Does it save it in WCS as a log or something?
11-05-2009 11:02 AM
typically the sniffer is used with the wIPS module that is on the MSE appliance you can add to your WCS.
http://www.cisco.com/en/US/docs/wireless/technology/wips/deployment/guide/wipsdep.html
11-05-2009 11:16 AM
and if I dont have that I cant use it?
11-05-2009 12:28 PM
You can use it without the wIPS. If you set an AP to be in sniffer mode, it will ask you to reboot the AP. After it reboots, if you go to that AP's interface configuration page(a or b/g), there is a checkbox that says 'Sniff' and after it is checked it lets you pick a channel to sniff on, and an IP address of a host to send the wireless capture to.
If you enter the IP address of some host on the network(wired or wireless) that has a sniffing program (Omnipeek, wireshark, etc) running on it, you should get the captures on that pc.
Does this help at all?
11-06-2009 06:44 AM
Dont forget to decode UDP Port 5555 as "AiroPeek" in the Wireshark Decode Options, so you can read the Frames in clear. Regards, Michael
11-09-2009 08:05 AM
Hi Scott, i think that there was a Post before mine, that has been removed, why ever... If you had changed AP Mode to Sniffer and it has rebooted, you can define on which channel the AP has to sniff and to which IP the Packets should be streamed. All unneccessary Headers will be removed. The Stream is encapsulated in UDP SRC 5555 DST 5000. Open Wireshark and trace your NIC. Filter and Drop the ICMP unreachables. Mark one Frame with UDP SRC 5555, click Right Mose, "Decode As..." -> AiroPeek, é Voila, all Packets from the Sniffer AP are 802.11 in Clear. Regards, Michael
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: