In this post we will see how you can use Cisco AP in sniffer mode to capture wireless packets with Wireshark which is a free tool. (In a previous post we did same thing using Omnipeek which is a commercial product)
I have used 2504 WLC & 3702 AP in Sniffer mode. Client Servicing AP configured as Office Extend (OEAP) registered to a Corp WLC with personal SSID (mrn-cciew) enabled with a PSK. My monitoring PC running Windows 10 with wireshark 2.6.4 version.
Once 3702-1 registered with 2504, you can simply change it to “Sniffer” mode. Then go to Wireless > 802.11a/n/ac > tick “sniff” check box & specify the Wireshark running PC as server IP address as shown below. As my OEAP operate in 40MHz, selected that in sniffer config (if you want to capture 80MHz, 802.11ac frames, you have to set it to 80MHz)
Now if you start capturing on Ethernet Interface of your windows laptop, you will see something like below.
Note that most of traffic is UDP traffic from src port 5555 to dst port 5000 (from WLC IP to Wireshark PC IP). If you want to see inside packets detail, you have to decode these frame as “PEEKREMOTE”. You can simply right-click & choose “Decode As” option shown below.
Once you do this, you will see those 802.11 wireless frames that you did not able to see previously.
You notice, addition to those wireless frames you will see traffic going in/out from windows PC (192.168.20.124). In wireless analysis, you are not interested to see that traffic. To filter wireless traffic, you can apply a capture filter with UDP port number 5555. You can create a capture filter by Capture > Capture Filter menu on wireshark as shown below. (Read this article for more information on capture filter options)
Once created, you can apply that capture filter to Ethernet interface as shown below.
If you do a capture with that filter, you will only see wireless packet capture you needed.
Additionally if you would like to de-crypt WPA2-PSK traffic on wireshark (as my SSID is WPA2-PSK), you can enter your key (ie. password for your SSID) under Edit > Preferences >Protocol > IEEE 802.11 > Key section as shown below.
Then you will see fully de-crypted traffic from your SSID. There is a catch though, you have to capture 4 Way Handshake frames of a client in order to fully decrypt frames in that SSID. You can simply do that by new client association to the SSID. Below shows a new association from my MACBookAir (you will see M1 to M4 – 4 way handshake frames) & there after DCHP negotiations without any encryption. (Usually after 4 way handshake traffic will encrypt & you will not able to see what’s there inside those data frames). Note that I have filtered Beacon & ACK frame for simplicity in below view.
Hope this post is useful for your wireless packet capture & analysis.