Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Wireless Sniffing - How to get to see the Payload?

Hello everybody. Im now trouble shooting a wireless problem. So i wannt to sniff the traffic from the device.

what ive done so far:

-set up a AP in sniffing mode

-redirected the traffic to my client.

-sniffing the traffic

i cann see the traffig on wireshark. but i cannot see the payload.

i should see the DHCP request and so on. but i cannot see this informations in wireshark.

all i see is source mac (my device) destination mac - broadcast.

i did it just like the how to told me to:

https://supportforums.cisco.com/docs/DOC-19214

what am i missing?

Thank You

Chris

13 REPLIES
New Member

Re: Wireless Sniffing - How to get to see the Payload?

If you have any type of encryption used on the SSID, you won't see the payload as it's encrypted. You'll only see up to layer 2 (i.e. the WLAN headers)

If you have a PSK, it would be possible to put this in to Wireshark and decrypt the payload, but if you're using 802.1x, you cannot decrypt, as the encryption keys change constantly.

HTH.

Sent from Cisco Technical Support iPad App

New Member

Re: Wireless Sniffing - How to get to see the Payload?

Hello

Thank you for your answer!

but there is no encryption used. its a guest WLAN.

so this should not be the problem.

New Member

Re: Wireless Sniffing - How to get to see the Payload?

Chris,

The only other thing I can think of is that the frames are getting truncated somewhere.

Maybe you have sort of frame slicing configured in Wireshark to keep the capture size down?

Nigel.

Sent from Cisco Technical Support iPad App

New Member

Re: Wireless Sniffing - How to get to see the Payload?

Hello Nigel

thank you. i made some other misstakes. everything solved.

BUT now i have the problem, that i have the Data in wireshark.. but not ina huma readable state.

do you know how to change this?

Bronze

Re:Wireless Sniffing - How to get to see the Payload?

What are you using as the decoder for the frames? Are you using the AIROPEEK transport protocol?

Sent from Cisco Technical Support Android App

New Member

Re:Wireless Sniffing - How to get to see the Payload?

in Wireshark its called PEEKREMOTE. they changed it with the newer releases.

so yes. i decode with that

Bronze

Re:Wireless Sniffing - How to get to see the Payload?

That's right thank you. Any luck with the payload? Its been a while since I tried this.


Sent from Cisco Technical Support Android App

Bronze

Re:Wireless Sniffing - How to get to see the Payload?

I managed to get one going here. Is the sniffer mode AP close enough to clients connecting to nearby APs, and are you sniffing on the same channel as a nearby AP?


Sent from Cisco Technical Support Android App

New Member

Re:Wireless Sniffing - How to get to see the Payload?

yes. like e mentioned before, we see traffic. but the Data is not readable for us.

the goal is to sniff the WISPr Requests and hopefully the Response from IOS 7 Devices.

so i need to see the Data. an as far as i know this should be plain text.

Bronze

Re:Wireless Sniffing - How to get to see the Payload?

Ok thanks.  Interesting, so this wouldn't be anything the controller would see in a client debug.  Did you see this link on the WISPr urls used in ios7? http://www.cadincweb.com/why-your-apple-ios-7-device-wont-connect-to-the-wifi-network

New Member

Re:Wireless Sniffing - How to get to see the Payload?

yes i saw that link and must tell that it is incorect. with IOS 7 Apple has now 200+ URLs for WISPr.

All i wanna see is if there is a WISPr Request and hopefully a answer and where is the answer from.

Cisco Employee

Wireless Sniffing - How to get to see the Payload?

you can sniff the client connecting AP port using wireshark.

New Member

Wireless Sniffing - How to get to see the Payload?

I seem to be seeing the same issue ; seeing sniffed mcast/broadcast packets from wireless clients - no unicast.

WLC is running 7.5.10.12 using (2) 3602s, 1 AP inFlexC mode, the other in sniffer mode.

I've tried using both 5G and 2.4G radios, making sure both clients and both APs are all matched.

I even used dropped that to only 2.4 and the available RF rates to max of  11M - the behavior never changes.

Using wireshark 1.10.5

Decoding packets as PEEKREMOTE.

Have set unset CAPWAP/LWWAP "swap control bit" - no difference

Enabled disabled CAPWAP "Cisco wireless controller support" - no difference

Perhaps a wireshark dissector issue? I'm seeing many/larger frames in these captures all decoded as:

IEEE 802.11 Unrecognized (Reserved frame), Flags: .........

Type/Subtype: Unknown (0x36)

Frame Control Field: 0x6c00

Curious if others with similar setup have this working correctly or not - ?

988
Views
0
Helpful
13
Replies