This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

PEEKREMOTE wrong parsing with CiscoAironet 3700

0

Hi,

I am using a Cisco Aironet 3700 running autonomous version and configured to work in monitor mode(all wireless traffic send to remote host) my problem is that using wireshark PEEKREMOTE decoding the packet sent from my AP are not parsed correctly.

See the following capture:

https://drive.google.com/file/d/0B0ta7zFvYqzxRlh5ZVBjRWJwT0U/edit?usp=sharing

Did anyone encounter with such issue? Many Thanks

asked 28 May '14, 05:16

Pavel%20Bonder's gravatar image

Pavel Bonder
11112
accept rate: 0%

Those packets look very different from the PEEKREMOTE packets in other captures; they don't look like packets with either the 20-byte legacy header or the 55-byte 802.11n header. By "configured to work in monitor mode" do you mean that you put the 3700 into "Sniffer" mode, as Cisco calls it, and configured it to send packets to port 6666? Does AiroPeek or OmniPeek correctly dissect those packets?

(28 May '14, 19:54) Guy Harris ♦♦

Even i am facing the same issue, Is there a solution for this or any workarounds.

Thanks, Jagadeesh

(14 Nov '15, 10:20) Jagadeesh Yc

Read the answer to this question. If that doesn't solve your problem, ask another question; just because you see similar symptoms, that doesn't mean it's the same issue.

(14 Nov '15, 10:28) Guy Harris ♦♦

One Answer:

0

...and that's because it's NOT PEEKREMOTE traffic, it's CWIDS (Cisco Wireless Intrusion Detection System) traffic. Try dissecting it as CWIDS instead.

answered 28 May '14, 23:28

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

In order to configure AP in monitor mode I set the wireless interface to "#station-role scanner", and configure monitor to any host and port I want "#monitor frames endpoint ip address 192.168.1.10 port 6666"

Decoding this as CWIDS also do not parse the packet correctly, each packet is parsed with multiple CWIDS and IEE802.11 headers in same packet.

I do no have OmniPeek for comparison.

Many Thanks

(29 May '14, 02:13) Pavel Bonder

each packet is parsed with multiple CWIDS and IEE802.11 headers in same packet

That's not a bug, that's a feature. As Cisco's documentation says, "Multiple captured frames can be combined into one UDP packet to conserve network bandwidth."

(29 May '14, 02:26) Guy Harris ♦♦