Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
709
Views
0
Helpful
5
Replies

How do you Sniff with a lightweight?

scott.hammond
Level 1
Level 1

‎11-05-2009 10:52 AM - edited ‎07-03-2021 06:14 PM

Okay I set a LAP-1242 out in the wild in "Sniffer" mode.

What I cant figure out is how do I get to the actual data it is sniffing. Does it save it in WCS as a log or something?

Labels:
0 Helpful
5 Replies 5

Lucien Avramov
Level 10
Level 10

‎11-05-2009 11:02 AM

typically the sniffer is used with the wIPS module that is on the MSE appliance you can add to your WCS.

http://www.cisco.com/en/US/docs/wireless/technology/wips/deployment/guide/wipsdep.html

0 Helpful

scott.hammond
Level 1
Level 1
In response to Lucien Avramov

‎11-05-2009 11:16 AM

and if I dont have that I cant use it?

0 Helpful

joseph.kukis
Level 1
Level 1

‎11-05-2009 12:28 PM

You can use it without the wIPS. If you set an AP to be in sniffer mode, it will ask you to reboot the AP. After it reboots, if you go to that AP's interface configuration page(a or b/g), there is a checkbox that says 'Sniff' and after it is checked it lets you pick a channel to sniff on, and an IP address of a host to send the wireless capture to.

If you enter the IP address of some host on the network(wired or wireless) that has a sniffing program (Omnipeek, wireshark, etc) running on it, you should get the captures on that pc.

Does this help at all?

0 Helpful

MICHAEL SCHROEDER
Level 3
Level 3
In response to joseph.kukis

‎11-06-2009 06:44 AM

Dont forget to decode UDP Port 5555 as "AiroPeek" in the Wireshark Decode Options, so you can read the Frames in clear. Regards, Michael

0 Helpful

MICHAEL SCHROEDER
Level 3
Level 3

‎11-09-2009 08:05 AM

Hi Scott, i think that there was a Post before mine, that has been removed, why ever... If you had changed AP Mode to Sniffer and it has rebooted, you can define on which channel the AP has to sniff and to which IP the Packets should be streamed. All unneccessary Headers will be removed. The Stream is encapsulated in UDP SRC 5555 DST 5000. Open Wireshark and trace your NIC. Filter and Drop the ICMP unreachables. Mark one Frame with UDP SRC 5555, click Right Mose, "Decode As..." -> AiroPeek, é Voila, all Packets from the Sniffer AP are 802.11 in Clear. Regards, Michael

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card