There are a few times when converting a Cisco AP to sniffer mode helps with remote investigation of a wireless issue. In this blog post I’ll go over setting an AP into Sniffer mode from the Cisco 9800-CL.
In my lab, I’d like to convert a Cisco C9115, Wi-Fi 6 access point, from Local mode (serving clients) into Sniffer mode.
It’s important to know when converting a Cisco access point into Sniffer mode, it will cease to serve any clients.
After enabling Sniffer mode on the Cisco C9115, or any access point, we want to configure the channel to sniff and where to send these sniffed frames.
Configuring Sniffer Mode
I have two Cisco C9115 access points joined to my 9800-CL. Both are in Local mode, capable of serving clients. I want to change AP-AX-01’s mode to Sniffer.
On the left-hand navigation, click on Configuration and then click on Access Points under Wireless
Under Access Points, click on the AP that will be changed to Sniffer mode.
I’m going to modify AP-AX-01.
Under the Edit AP window, click on the drop down for AP Mode and select Sniffer.
You’ll be presented with a warning about the AP needing to reboot when changing the AP mode.
Click OK and then click Update & Apply to Device
The access point will reboot and rejoin the controller under Sniffer mode. Takes a few minutes. Sip some tea.
Sniffing Frames
Now that the C9115, or AP of your choice, is in Sniffer mode it is time to configure the channel to sniff frames on.
Under the same window we’ve been working on, expand either 5 GHz Radios or 2.4 GHz Radios – whichever band you intend to sniff frames.
I’m going to sniff frames on channel 100, the channel my other C9115 is serving clients on.
Select the AP you just changed to Sniffer Mode to display the Edit AP window.
At the bottom of the window, you’ll see an /Enable Sniffing/ checkbox. Enable it.
Once enabled, more options will display below the checkbox. This is where you select which channel to sniff on.
In the Sniffer IP text field enter the IP address of the computer which will be running Wireshark. The computer which will receive the sniffed frames from this access point.
To configure the channel width to sniff on, select the channel width under RF Channel Assignment. The AP will sniff on the channel width it is configured it will normally use when serving clients.
Click Update & Apply to Device
Setting up Wireshark
At the time of publishing, I am using Wireshark version 3.0.7 for MacOS. Previous versions I was unable to see any HE frames. The latest version seems to have fixed that bug.
The Cisco AP will sniff and receive 802.11 traffic encapsulated using airopeek protocol. The source port is UDP 5555 and destination UDP 5000.
By default, Wireshark will not decode the packets properly. We must configure capture options to receive traffic on UDP 5555:
Next step is to start the capture.
You’ll begin seeing packets being displayed but it is encapsulated.
The packets must be decoded as PEEKREMOTE. Right click one of the encapsulated packets and select Decode As…
Add an entry with the following:
Field: UDP port
Value: 5555
Type: Integer, base 10
Default: SIGCOMP
Current: PEEKREMOTE
Click OK.
The 802.11 traffic is now available for you to analyze.
Time To Analyze Wi-Fi 6
Now that sniffing is available on the C9115, I can begin looking at Wi-Fi 6 traffic.
The capture using the C9115 does not include as much information in radiotap header compared to sniffing frames with the Intel AX200 on the Jetson Nano – which includes HE information.
Here’s a comparison between the C9115 in sniffer mode compared to the Intel AX200 using airmon-ng on the Jetson Nano.
Cisco C9115 – Sniffer Mode
Thoughts
Sniffer mode is useful for remote troubleshooting but it comes at the cost of not servicing clients. I’m curious if future updates to the access points will include more 11ax information in the radiotap headers.
Great write-up, thank you.
Thank you!