In this post we will see how to capture 802.11ac wireless frames using Cisco AP (802.11ac AP like 3700/2700/1700) as remote adapter. I have used OmniPeek WiFi Analyzer (10-day trial version) as protocol analyzer (as Wireshark is not yet support 802.11ac frame analysis).
I have installed OmniPeek on my PC (IP x.x.13.20). I have created an Open SSID on my WLC (5508) to connect iPhone6 (single spatial stream 802.11ac client). Also a wired 7965-VoIP connected to make a voice call from iPhone6 (with Jabber client) to that.
First you have to register your 3700 AP to your WLC & then you have to convert it to “sniffer mode“. Once you change the mode AP will reboot. Note that sniffer mode you cannot associate client to that AP. You can do it via GUI or CLI here is the CLI method (my AP name is “SNIFFER-3700“).
(WLC) >config ap mode ? Local Local mode for the Cisco AP. bridge Bridge mode for the Cisco AP. flex+bridge Flex+Bridge mode for the Cisco AP. flexconnect flexconnect mode for the Cisco AP. monitor Monitor Only mode for the Cisco AP. reap Remote Edge AP (REAP) mode for the Cisco AP. rogue Rogue Detector mode for the Cisco AP. se-connect Spectrum Expert Only Connect mode for the Cisco AP. sniffer Wireless sniffer mode for the Cisco AP. (WLC) >config ap mode sniffer SNIFFER-3700 Changing the AP's mode or submode will cause the AP to reboot. Are you sure you want to continue? (y/n) y
In GUI, you can do this simply go to the AP general page as shown below.
Then you have to set the sniffing channel on this AP. Since I want to sniff traffic on 802.11a (5GHz) on CH149 (149,153,157,161) I have to set my sniffer AP to that channel & specify the OmniPeek running PC as sniffer server.
Here how you can do it via CLI.
(WLC) >config ap sniff ? 802.11a Enables/Disables sniffing on 802.11a radio. 802.11b Enables/Disables sniffing on 802.11b/g radio. (WLC) >config ap sniff 802.11a ? enable Enables sniffing. disable Disable sniffing. (WLC) >config ap sniff 802.11a enable ? <channel> Enter a valid 802.11a channel to be sniffed (WLC) >config ap sniff 802.11a enable 149 ? <Server-IpAddr> Enter Sniffer server (remote Airopeek) IP address. (WLC) >config ap sniff 802.11a enable 149 x.x.13.20 ? <Cisco AP> Enter the name of the Cisco AP. (WLC) >config ap sniff 802.11a enable 149 x.x.13.20 SNIFFER-3700
In GUI, you can go to “Wireless -> Radio -> 802.11a/n/ac -> AP_Name ->Configure” option as shown below.
Once you go to configure option, you can set the sniffing channel, Server IP & Channel width to 80MHz as shown below.
Then you can go to OmniPeek & start new capture. You have to select “Cisco Remote Adapter” option as shown below & give any name you like. You do not want to give the sniffer mode AP IP address unless you want to filter traffic from multiple sniffer mode APs.(once you put IP field blank, you can collect captures from all sniffer mode APs)
Then you need to click “Start Cisco Capture” button as shown below. Once you done, you can click “Stop Cisco Capture” button.
Here is a snapshot of my packet capture while making a call from iPhone6-Jabber client to 7965 VoIP phone. As you can see management frames (eg Beacon) transmit in highest mandatory rate (24Mbps) configured where as data frames get 802.11ac data rates.
Here is a Beacon frame of the above capture. As you can see it is transmitted at 24Mbps (highest mandatory rate configured on 802.11a band in my WLC). Note that it is advetising VHT – 802.11ac capability.
Here is a data frame carrying SIP traffic (from iPhone6 jabber client to UCCM server). It is transmitted 292.5Mbps (80MHz, 1SS MCS 7 rate). As you can see even though the original IP packet has DSCP of 24 (CS3) for this SIP traffic it is mapped to UP value of 0 (Best Effort) in Wireless header. Usually this UP value get converted to outer CAPWAP header by AP.
Here is a data frame carrying RTP traffic. You can see it is a frame transmitted in 292.5Mpbs (80MHz, 1SS-MCS7 data rate). As you can see the original IP packet had DSCP value EF where it map to UP value of 5 (Video) in wireless header (this is controlled by supplicant)
Like this you can monitor 2SS (Macbook Air,) or 3SS (Macbook Pro) wireless traffic using AP as wireless adapter. Normally a USB adapter may not able to capture 3SS client traffic & you may need to use an enterprise grade AP to properly capture 802.11ac frames.
Reference
1. WildPacket Cisco Remote Adapter
Related Posts
1. Free Wireless Packet Captures
2. Decrypt WPA2-PSK using Wireshark
mrn-cciew 
Pingback: 802.11ac Wireless Packet Captures | Unified Networking
I am working on a project and i need to capture these packets. But due to budget constraints in my lab i cannot buy everything. I tried capturing by using wireshark on a pc i monitor mode and ran 802.11ac router and laptop but I was unablt to capture it. Is there any way I can do it?
I would suggest you to get omnipeek trial software & make an AP as remote sensor.
HTH
Rasika
Or you could use a Sniffer Mode AP with Wireshark. Rasika you have a post to send him on that right?
great post! thanks
Thank you.
Excellent post. I have been trying to capture 802.11ac packets with a Cisco WAP371 using its built in packet capture mechanism but have a number of issues with it. I posted messages on a couple of Cisco forums but got no feedback. Here is the link to the forum – https://supportforums.cisco.com/discussion/13080401/wap371-packet-capture-questions
The WAP is set up as a standalone device with only the 5GHz radio enabled. I connect to it using an Ethernet connected laptop. I am using a 12V power adapter and not PoE. I have tried both local and remote capture and still see these strange results. I have captured frames from 3 different 802.11ac AP’s and they all exhibit this behaviour. However, any packets send out and captured by the WAP itself (e.g., Beacon frames) report 5GHz info correctly.
I have tried posting on the Cisco and Wireshark forums for help with no luck. No responses at all from Cisco and no one on the Wireshark forum with a WAP371.
Note also that if I capture directly into Wireshark using an Airpcap adapter configured for 20MHz on my 802.11ac primary channel I do capture the control packets and see the correct Radiotap information!
Thanks in advance for any help you can provide