Hi, I am using a Cisco Aironet 3700 running autonomous version and configured to work in monitor mode(all wireless traffic send to remote host) my problem is that using wireshark PEEKREMOTE decoding the packet sent from my AP are not parsed correctly. See the following capture: https://drive.google.com/file/d/0B0ta7zFvYqzxRlh5ZVBjRWJwT0U/edit?usp=sharing Did anyone encounter with such issue? Many Thanks asked 28 May '14, 05:16  Pavel Bonder |
One Answer:
...and that's because it's NOT PEEKREMOTE traffic, it's CWIDS (Cisco Wireless Intrusion Detection System) traffic. Try dissecting it as CWIDS instead. answered 28 May '14, 23:28  Guy Harris ♦♦ In order to configure AP in monitor mode I set the wireless interface to "#station-role scanner", and configure monitor to any host and port I want "#monitor frames endpoint ip address 192.168.1.10 port 6666" Decoding this as CWIDS also do not parse the packet correctly, each packet is parsed with multiple CWIDS and IEE802.11 headers in same packet. I do no have OmniPeek for comparison. Many Thanks (29 May '14, 02:13) Pavel Bonder
That's not a bug, that's a feature. As Cisco's documentation says, "Multiple captured frames can be combined into one UDP packet to conserve network bandwidth." (29 May '14, 02:26) Guy Harris ♦♦ |
Those packets look very different from the PEEKREMOTE packets in other captures; they don't look like packets with either the 20-byte legacy header or the 55-byte 802.11n header. By "configured to work in monitor mode" do you mean that you put the 3700 into "Sniffer" mode, as Cisco calls it, and configured it to send packets to port 6666? Does AiroPeek or OmniPeek correctly dissect those packets?
Even i am facing the same issue, Is there a solution for this or any workarounds.
Thanks, Jagadeesh
Read the answer to this question. If that doesn't solve your problem, ask another question; just because you see similar symptoms, that doesn't mean it's the same issue.