The controller enables you to configure an access point as a network “sniffer”, which captures and forwards all the packets on a particular channel to a remote machine that runs packet analyzer software. These packets contain information on time stamps, signal strength, packet sizes, and so on.
Sniffers allow you to monitor and record network activity, and detect problems.
Prerequisites for Sniffer
To perform sniffing, you need the following hardware and software:
- A dedicated access point—An access point configured as a sniffer cannot simultaneously provide wireless access service on the network. To avoid disrupting coverage, use an access point that is not part of your existing wireless network.
- A remote monitoring device—A computer capable of running the analyzer software.
- Software and supporting files, plug-ins, or adapters—Your analyzer software may require specialized files before you can successfully enable.
Restrictions on Sniffer
- Supported third-party network analyzer software applications are as follows:
- Wildpackets Omnipeek or Airopeek
- AirMagnet Enterprise Analyzer
- Wireshark The latest version of Wireshark can decode the packets by going to the Analyze mode. Select decode as, and switch UDP5555 to decode as PEEKREMOTE.
Verify current AP mode
2. Change from current mode to “sniffer” mode
3.The access point will reboot and rejoin the controller in “sniffer” mode
4. Select the sniffer mode access point to configure its properties
Configure wireshark for peekremote –
wireshark packet capture WITHOUT UDP 5555 AND PEEKREMOTE
wireshark packet capture WITHUDP 5555 AND PEEKREMOTE
note: need to tshoot – not seeing traffic from AP on remote machine – 9800 controller…
Ran a quick sanity check on AireOS 220.127.116.11 to verify that placing the AP in sniffer mode and sending it to the remoter server should work. And it did as expected:
- Place AP into sniffer mode
2. Once the AP rejoins the WLC – configure the radio
3. select the RF band to monitor
As expected I see the over the air (OTA) frames being sent to the remote capture machine.