CCIE Enterprise Wireless (v1.0) – 3 Enterprise Wireless Network – 3.2 Lightweight APs – 3.2.a AP modes – 9800 Sniffer Mode

Posted on Posted in AP modes, Cisco 9800 Wireless, RF

The controller enables you to configure an access point as a network “sniffer”, which captures and forwards all the packets on a particular channel to a remote machine that runs packet analyzer software. These packets contain information on time stamps, signal strength, packet sizes, and so on.

Sniffers allow you to monitor and record network activity, and detect problems.


Prerequisites for Sniffer

To perform sniffing, you need the following hardware and software:

  • A dedicated access point—An access point configured as a sniffer cannot simultaneously provide wireless access service on the network. To avoid disrupting coverage, use an access point that is not part of your existing wireless network.
  • A remote monitoring device—A computer capable of running the analyzer software.
  • Software and supporting files, plug-ins, or adapters—Your analyzer software may require specialized files before you can successfully enable.

Restrictions on Sniffer

  • Supported third-party network analyzer software applications are as follows:
  • Wildpackets Omnipeek or Airopeek
  • AirMagnet Enterprise Analyzer
  • Wireshark The latest version of Wireshark can decode the packets by going to the Analyze mode. Select decode as, and switch UDP5555 to decode as PEEKREMOTE.

Verify current AP mode


2. Change from current mode to “sniffer” mode



3.The access point will reboot and rejoin the controller in “sniffer” mode


4. Select the sniffer mode access point to configure its properties





Configure wireshark for peekremote –




wireshark packet capture WITHOUT UDP 5555 AND PEEKREMOTE

wireshark packet capture WITHUDP 5555 AND PEEKREMOTE


note: need to tshoot – not seeing traffic from AP on remote machine – 9800 controller…



Ran a quick sanity check on AireOS 8.10.105.0 to verify that placing the AP in sniffer mode and sending it to the remoter server should work. And it did as expected:

  1. Place AP into sniffer mode

2. Once the AP rejoins the WLC – configure the radio


3. select the RF band to monitor



As expected I see the over the air (OTA) frames being sent to the remote capture machine.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.