802.11ac Wireless Packet Captures
In this post we will see how to capture 802.11ac wireless frames using Cisco AP (802.11ac AP like 3700/2700/1700) as remote adapter. I have used OmniPeek WiFi Analyzer (10-day trial version) as protocol analyzer (as Wireshark is not yet support 802.11ac frame analysis).
I have installed OmniPeek on my PC (IP x.x.13.20). I have created an Open SSID on my WLC (5508) to connect iPhone6 (single spatial stream 802.11ac client). Also a wired 7965-VoIP connected to make a voice call from iPhone6 (with Jabber client) to that.
First you have to register your 3700 AP to your WLC & then you have to convert it to “sniffer mode“. Once you change the mode AP will reboot. Note that sniffer mode you cannot associate client to that AP. You can do it via GUI or CLI here is the CLI method (my AP name is “SNIFFER-3700“).
(WLC) >config ap mode ? Local Local mode for the Cisco AP. bridge Bridge mode for the Cisco AP. flex+bridge Flex+Bridge mode for the Cisco AP. flexconnect flexconnect mode for the Cisco AP. monitor Monitor Only mode for the Cisco AP. reap Remote Edge AP (REAP) mode for the Cisco AP. rogue Rogue Detector mode for the Cisco AP. se-connect Spectrum Expert Only Connect mode for the Cisco AP. sniffer Wireless sniffer mode for the Cisco AP. (WLC) >config ap mode sniffer SNIFFER-3700 Changing the AP's mode or submode will cause the AP to reboot. Are you sure you want to continue? (y/n) y
In GUI, you can do this simply go to the AP general page as shown below.
Then you have to set the sniffing channel on this AP. Since I want to sniff traffic on 802.11a (5GHz) on CH149 (149,153,157,161) I have to set my sniffer AP to that channel & specify the OmniPeek running PC as sniffer server.
Here how you can do it via CLI.
(WLC) >config ap sniff ? 802.11a Enables/Disables sniffing on 802.11a radio. 802.11b Enables/Disables sniffing on 802.11b/g radio. (WLC) >config ap sniff 802.11a ? enable Enables sniffing. disable Disable sniffing. (WLC) >config ap sniff 802.11a enable ? <channel> Enter a valid 802.11a channel to be sniffed (WLC) >config ap sniff 802.11a enable 149 ? <Server-IpAddr> Enter Sniffer server (remote Airopeek) IP address. (WLC) >config ap sniff 802.11a enable 149 x.x.13.20 ? <Cisco AP> Enter the name of the Cisco AP. (WLC) >config ap sniff 802.11a enable 149 x.x.13.20 SNIFFER-3700
In GUI, you can go to “Wireless -> Radio -> 802.11a/n/ac -> AP_Name ->Configure” option as shown below.
Once you go to configure option, you can set the sniffing channel, Server IP & Channel width to 80MHz as shown below.
Then you can go to OmniPeek & start new capture. You have to select “Cisco Remote Adapter” option as shown below & give any name you like. You do not want to give the sniffer mode AP IP address unless you want to filter traffic from multiple sniffer mode APs.(once you put IP field blank, you can collect captures from all sniffer mode APs)
Then you need to click “Start Cisco Capture” button as shown below. Once you done, you can click “Stop Cisco Capture” button.
Here is a snapshot of my packet capture while making a call from iPhone6-Jabber client to 7965 VoIP phone. As you can see management frames (eg Beacon) transmit in highest mandatory rate (24Mbps) configured where as data frames get 802.11ac data rates.
Here is a Beacon frame of the above capture. As you can see it is transmitted at 24Mbps (highest mandatory rate configured on 802.11a band in my WLC). Note that it is advetising VHT – 802.11ac capability.
Here is a data frame carrying SIP traffic (from iPhone6 jabber client to UCCM server). It is transmitted 292.5Mbps (80MHz, 1SS MCS 7 rate). As you can see even though the original IP packet has DSCP of 24 (CS3) for this SIP traffic it is mapped to UP value of 0 (Best Effort) in Wireless header. Usually this UP value get converted to outer CAPWAP header by AP.
Here is a data frame carrying RTP traffic. You can see it is a frame transmitted in 292.5Mpbs (80MHz, 1SS-MCS7 data rate). As you can see the original IP packet had DSCP value EF where it map to UP value of 5 (Video) in wireless header (this is controlled by supplicant)
Like this you can monitor 2SS (Macbook Air,) or 3SS (Macbook Pro) wireless traffic using AP as wireless adapter. Normally a USB adapter may not able to capture 3SS client traffic & you may need to use an enterprise grade AP to properly capture 802.11ac frames.
Reference
1. WildPacket Cisco Remote Adapter
Original Post # http://mrncciew.com/2014/09/22/802-11ac-wireless-packet-captures/