How do you to see the CAPWAP encapsulated packets (AP <-> WLC in controller based wireless deployment) using a wireshark ?
By default if you span the port connected to Light Weight Access point (in my case fa1/0/2) into another switchport (Fa1/0/10) by using the following CLI commands on the swtich, you will see something below in the screen.
monitor session 2 source interface Fa1/0/2
monitor session 2 destination interface Fa1/0/10
You can see it is a CAPWAP packet by using the destination port ( UDP 5247 for capwap-data & UDP 5246 for capwap-control). But you will notice it appeared as ” Malformed Packet” at cannot see what’s inside this capwap packet.
To avoid this you have to tick the following option in Wireshark. Click Edit -> Preferences
Select CAPWAP under the protocol section & you will see something below. There is a check box for “Cisco Wireless Controller Support” which is un-checked by default.
If you checked that tick-box & get the capture again. You won’t see this ” Malformed Packet” in the capture & can see what’s inside CAPWAP packet. see below (in my case UDP traffic for a voice call).
On a side note, you can see, AP encapsulates all traffic into CAPWAP. Therefore switch port cannot see this original packet header (only see the outer IP header used by CAPWAP). Therefore we cannot classify AP traffic (in Lightweight mode) at the switch port based on original packet’s information (in this case we cannot classify as VoIP traffic by using udp range 16384 32767).
If you want to configure QoS on AP connected switch-ports, the best we can do is the trust the DSCP value by using “mls qos trust dscp” command. The outer header DSCP value derived from the original packet DSCP.No policy map to classify traffic at the switchport level (which is normal on the wired switch-ports when configuring QoS). Due to the same reason “ mls qos trust CoS” at the WLC connected switch port as normally they are configured as Layer 2 Trunk.
Thanks a lot for this one.
I need to know what are packets exchanged during capwtap tunnel between ap and wlc.Using DTLS only control packets are encrypted then what about data packets.
Prasad Nalamwar said:
There is option of DATA DTLS tunnel also. its optional. On enabling it data packets will also be encrypted.
Suresh M said:
Please share more information about CAPWAP working
Thanks for the video so all other packets wiz. aaa, dhcp are also encapsulated in the same capwap packet. and if yes is it the case for a flex connect remote AP as well?
Thanks in Advance!
In FlexConnect local switching data traffic won’t have CAPWAP encapsulation. It simply comes to AP as 802.1Q trunk traffic
You are always a great help.
so is that a correct understanding that capwap would terminate, decrypt at edge device only and response is passed to AP via.1Q and reverse?
so basically, i am trying to understand the flow of aaa, dhcp and other packets between a remote flex(with and without local controllers)to HQ having server farm.