CCIE Enterprise Wireless (v1.0) – 3 Enterprise Wireless Network – 3.2 Lightweight APs – 3.2.a AP modes

The controller enables you to configure an access point as a network “sniffer”, which captures and forwards all the packets on a particular channel to a remote machine that runs packet analyzer software. These packets contain information on time stamps, signal strength, packet sizes, and so on.

Sniffers allow you to monitor and record network activity, and detect problems.

Prerequisites for Sniffer

To perform sniffing, you need the following hardware and software:

A dedicated access point—An access point configured as a sniffer cannot simultaneously provide wireless access service on the network. To avoid disrupting coverage, use an access point that is not part of your existing wireless network.
A remote monitoring device—A computer capable of running the analyzer software.
Software and supporting files, plug-ins, or adapters—Your analyzer software may require specialized files before you can successfully enable.

Restrictions on Sniffer

Supported third-party network analyzer software applications are as follows:
Wildpackets Omnipeek or Airopeek
AirMagnet Enterprise Analyzer
Wireshark The latest version of Wireshark can decode the packets by going to the Analyze mode. Select decode as, and switch UDP5555 to decode as PEEKREMOTE.

Verify current AP mode

2. Change from current mode to “sniffer” mode

3.The access point will reboot and rejoin the controller in “sniffer” mode

4. Select the sniffer mode access point to configure its properties

Configure wireshark for peekremote –

wireshark packet capture WITHOUT UDP 5555 AND PEEKREMOTE

wireshark packet capture WITHUDP 5555 AND PEEKREMOTE

note: need to tshoot – not seeing traffic from AP on remote machine – 9800 controller…

Ran a quick sanity check on AireOS 8.10.105.0 to verify that placing the AP in sniffer mode and sending it to the remoter server should work. And it did as expected: