Hope this post is useful for your wireless packet capture & analysis. Note that I have filtered Beacon & ACK frame for simplicity in below view. (Usually after 4 way handshake traffic will encrypt & you will not able to see what’s there inside those data frames). Below shows a new association from my MACBookAir (you will see M1 to M4 – 4 way handshake frames) & there after DCHP negotiations without any encryption. You can simply do that by new client association to the SSID. There is a catch though, you have to capture 4 Way Handshake frames of a client in order to fully decrypt frames in that SSID. Then you will see fully de-crypted traffic from your SSID.
password for your SSID) under Edit > Preferences > Protocol > IEEE 802.11 > Key section as shown below. If you do a capture with that filter, you will only see wireless packet capture you needed.Īdditionally if you would like to de-crypt WPA2-PSK traffic on wireshark (as my SSID is WPA2-PSK), you can enter your key (ie. Once created, you can apply that capture filter to Ethernet interface as shown below. (Read this article for more information on capture filter options) You can create a capture filter by Capture > Capture Filter menu on wireshark as shown below. To filter wireless traffic, you can apply a capture filter with UDP port number 5555. In wireless analysis, you are not interested to see that traffic. You notice, addition to those wireless frames you will see traffic going in/out from windows PC (192.168.20.124). Once you do this, you will see those 802.11 wireless frames that you did not able to see previously. You can simply right-click & choose “Decode As” option shown below. If you want to see inside packets detail, you have to decode these frame as “PEEKREMOTE”. Note that most of traffic is UDP traffic from src port 5555 to dst port 5000 (from WLC IP to Wireshark PC IP). Now if you start capturing on Ethernet Interface of your windows laptop, you will see something like below. As my OEAP operate in 40MHz, selected that in sniffer config (if you want to capture 80MHz, 802.11ac frames, you have to set it to 80MHz) Then go to Wireless > 802.11a/n/ac > tick “sniff” check box & specify the Wireshark running PC as server IP address as shown below. Once 3702-1 registered with 2504, you can simply change it to “Sniffer” mode. Client Servicing AP configured as Office Extend (OEAP) registered to a Corp WLC with personal SSID (mrn-cciew) enabled with a PSK. My monitoring PC running Windows 10 with wireshark 2.6.4 version. I have used 2504 WLC & 3702 AP in Sniffer mode. (In a previous post we did same thing using Omnipeek which is a commercial product) In this post we will see how you can use Cisco AP in sniffer mode to capture wireless packets with Wireshark which is a free tool.
0 kommentar(er)
