How do you to see the CAPWAP encapsulated packets (AP <-> WLC in controller based wireless deployment) using a wireshark ?

By default if you span the port connected to Light Weight Access point (in my case fa1/0/2) into another switchport (Fa1/0/10) by using the following CLI commands on the swtich, you will see something below in the screen.

monitor session 2 source interface Fa1/0/2
monitor session 2 destination interface Fa1/0/10

You can see it is a CAPWAP packet by using the destination port ( UDP 5247 for capwap-data &  UDP 5246 for capwap-control). But you will notice it appeared as ” Malformed Packet” at cannot see what’s inside this capwap packet.

To avoid this you have to tick the following option in Wireshark. Click Edit -> Preferences

Select CAPWAP under the protocol section & you will see something below. There is a check box for “Cisco Wireless Controller Support” which is un-checked by default.

If you checked that tick-box & get the capture again. You won’t see this ” Malformed Packet” in the capture & can see what’s inside CAPWAP packet. see below (in my case UDP traffic for a voice call).

On a side note, you can see, AP encapsulates all traffic into CAPWAP. Therefore switch port cannot see this original packet header (only see the outer IP header used by CAPWAP). Therefore we cannot classify AP traffic (in Lightweight mode) at the switch port based on original packet’s information (in this case we cannot classify as VoIP traffic by using udp range 16384 32767).

If you want to configure QoS on AP connected switch-ports, the  best we can do is the  trust the DSCP value by using “mls qos trust dscp” command. The outer header DSCP value derived from the original packet DSCP.No policy map to classify traffic at the switchport level (which is normal on the wired switch-ports when configuring QoS). Due to the same reason “ mls qos trust CoS” at the WLC connected switch port as normally they are configured as Layer 2 Trunk.