• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Rowell Dionicio

Get Techie With It

  • Home
  • About
  • Newsletter
  • Resources
    • Archives
    • Book List
    • YouTube
  • Learn
    • Wi-Fi 6E
    • CCNP Enterprise Core
    • DevNet Associate
    • PCNSA Certified
  • Blog
  • Contact
  • Show Search
Hide Search

Cisco 9800 WLC – AP Sniffer Mode

December 8, 2019 By Rowell 2 Comments

There are a few times when converting a Cisco AP to sniffer mode helps with remote investigation of a wireless issue. In this blog post I’ll go over setting an AP into Sniffer mode from the Cisco 9800-CL.

In my lab, I’d like to convert a Cisco C9115, Wi-Fi 6 access point, from Local mode (serving clients) into Sniffer mode.

It’s important to know when converting a Cisco access point into Sniffer mode, it will cease to serve any clients.

After enabling Sniffer mode on the Cisco C9115, or any access point, we want to configure the channel to sniff and where to send these sniffed frames.

Configuring Sniffer Mode

I have two Cisco C9115 access points joined to my 9800-CL. Both are in Local mode, capable of serving clients. I want to change AP-AX-01’s mode to Sniffer.

On the left-hand navigation, click on Configuration and then click on Access Points under Wireless

Under Access Points, click on the AP that will be changed to Sniffer mode.

I’m going to modify AP-AX-01.

Under the Edit AP window, click on the drop down for AP Mode and select Sniffer.

You’ll be presented with a warning about the AP needing to reboot when changing the AP mode.

Click OK and then click Update & Apply to Device

The access point will reboot and rejoin the controller under Sniffer mode. Takes a few minutes. Sip some tea.

Sniffing Frames

Now that the C9115, or AP of your choice, is in Sniffer mode it is time to configure the channel to sniff frames on.

Under the same window we’ve been working on, expand either 5 GHz Radios or 2.4 GHz Radios – whichever band you intend to sniff frames.

I’m going to sniff frames on channel 100, the channel my other C9115 is serving clients on.

Select the AP you just changed to Sniffer Mode to display the Edit AP window.

At the bottom of the window, you’ll see an /Enable Sniffing/ checkbox. Enable it.

Once enabled, more options will display below the checkbox. This is where you select which channel to sniff on.

In the Sniffer IP text field enter the IP address of the computer which will be running Wireshark. The computer which will receive the sniffed frames from this access point.

To configure the channel width to sniff on, select the channel width under RF Channel Assignment. The AP will sniff on the channel width it is configured it will normally use when serving clients.

Click Update & Apply to Device

Setting up Wireshark

At the time of publishing, I am using Wireshark version 3.0.7 for MacOS. Previous versions I was unable to see any HE frames. The latest version seems to have fixed that bug.

The Cisco AP will sniff and receive 802.11 traffic encapsulated using airopeek protocol. The source port is UDP 5555 and destination UDP 5000.

By default, Wireshark will not decode the packets properly. We must configure capture options to receive traffic on UDP 5555:

Next step is to start the capture.

You’ll begin seeing packets being displayed but it is encapsulated.

The packets must be decoded as PEEKREMOTE. Right click one of the encapsulated packets and select Decode As…

Add an entry with the following:

Field: UDP port
Value: 5555
Type: Integer, base 10
Default: SIGCOMP
Current: PEEKREMOTE

Click OK.

The 802.11 traffic is now available for you to analyze.

Time To Analyze Wi-Fi 6

Now that sniffing is available on the C9115, I can begin looking at Wi-Fi 6 traffic.

The capture using the C9115 does not include as much information in radiotap header compared to sniffing frames with the Intel AX200 on the Jetson Nano – which includes HE information.

Here’s a comparison between the C9115 in sniffer mode compared to the Intel AX200 using airmon-ng on the Jetson Nano.

Cisco C9115 – Sniffer Mode

Cisco C9115 – Sniffer Mode
Jetson Nano (Intel AX200)

Thoughts

Sniffer mode is useful for remote troubleshooting but it comes at the cost of not servicing clients. I’m curious if future updates to the access points will include more 11ax information in the radiotap headers.

Share this:

  • Facebook
  • LinkedIn
  • Twitter

Related

Filed Under: Wireless Tagged With: C9115, c9800-cl

About Rowell

Wi-Fi expert. Coffee addict ☕️. Tech nerd. Business owner.

Reader Interactions

Comments

  1. K says

    March 12, 2021 at 7:40 am

    Great write-up, thank you.

    Reply
    • Rowell says

      March 12, 2021 at 3:51 pm

      Thank you!

      Reply

Leave a Reply Cancel reply

Primary Sidebar

Recent Posts

  • 6 GHz Frame Captures with EtherScope nXG
  • Manage Cisco Catalyst in the (Meraki) Cloud
  • Q1 2022 Income Report
  • First Look at Ekahau AI Pro – Network Simulator
  • PAN-OS Configuration Management – PCNSA

Categories

  • bschool
  • Certifications
  • Coding
  • DevNet Associate
  • Events
  • Lab
  • Networking
  • Personal
  • Podcasting
  • Professional
  • Reviews
  • Security
  • Short Stories
  • Uncategorized
  • Wireless

Archives

  • June 2022
  • May 2022
  • January 2022
  • December 2021
  • November 2021
  • August 2021
  • July 2021
  • April 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • August 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • November 2018
  • September 2018
  • August 2018

Copyright © 2022 · Written by Rowell Dionicio · You're awesome.

 

Loading Comments...