Wireless Frame Capture using Wireshark and Cisco AP

The ability to capture wireless frames for analysis at a remote location without having to travel to the site adds benefits, by focusing the time on troubleshooting the issue and restoring a stable WLAN function to the End user.

There are few options available in today’s market, the one will be discussing today is using of Cisco Access Point and Wireshark to Capture and analyze the captured data.

Network layout used for the demonstration:

  • Vmware ESXi Version 5.5.0
  • Cisco vWLC, software version
  • Access Point, Cisco 3602 AP
  • Wireshark Version 1.10.1, This one of the versions of Wireshark that would help decoding captured frames as PEEKREMOTE
  • Samsung Tablet

vWLC configuration: 

Convert the AP to Sniffer Mode as shown Below, selecting sniffer mode, and applying the change the AP will reboot.

Select The Access Point

Under General TAB, select AP mode “Sniffer” I have assigned Static IP to the Access Point. then hit “Apply”.

Next step is to configure the Access Point to Capture frame on certain channel.

Navigate to “Wireless” and select either 802.11a/n/ac or 802.11b/g/n, Depending on the Band and channel you want to scan. Hover your mouse on the blue drop down and select “configure”.

Next step is to Enable “Sniff” under Sniffer Channel Assignment, select Channel and Enter workstation IP address.

Now lets look for the packet capture in Wireshark. Capturing data on the LAN adapter of the workstation would look something like this:

I have filtered the traffic as the vWLC source IP address. 

To be able see inside packets detail, you have to decode these frames as “PEEKREMOTE”. You can simply right-click & choose “Decode As” option shown below.

Now you can see the Protocol change to 802.11

here you have it this one way to have the frames captured and start working on the analyses, 







Leave a Reply

Your email address will not be published. Required fields are marked *