Cisco Cisco 5520 Wireless Controller Guida Alla Progettazione
1-18
Book Title
OL-xxxxx-xx
Chapter 1 Cisco Adaptive wIPS Management Deployment Guide, Release 8.0
Cisco Adaptive wIPS Introduction
Forensics
Cisco’s Adaptive wIPS system provides the ability to capture attack forensics for further investigation
and troubleshooting purposes. At a base level, the forensics capability is a toggle-based packet capture
facility, which provides the ability to log and retrieve a set of wireless frames. This feature is enabled on
a per attack basis from within the wIPS profile configuration of PI.
and troubleshooting purposes. At a base level, the forensics capability is a toggle-based packet capture
facility, which provides the ability to log and retrieve a set of wireless frames. This feature is enabled on
a per attack basis from within the wIPS profile configuration of PI.
Once enabled, the forensics feature is triggered once a specific attack alarm is seen over the airwaves.
The forensic file will be created based on the packets contained within the buffer of the wIPS Mode AP
that triggered the original alarm. This file is transferred to the Wireless LAN Controller via CAPWAP,
which then forwards the forensic file via NMSP to the wIPS Service running on the Mobility Services
Engine. The file is stored within the forensic archive on the MSE until the user configured disk space
limit for forensics is reached. By default this limit is 20Gigabytes, which when reached will cause the
oldest forensic files to be removed. Access to the forensic file can be obtained by opening the alarm on
the Prime Infrastructure, which contains a hyperlink to the forensic file. The files are stored as a ‘.CAP’
file format which can be opened by either WildPacket’s Omnipeek, AirMagnet Wi-Fi Analyzer,
Wireshark or any other packet capture program which supports this format. Wireshark is available at
The forensic file will be created based on the packets contained within the buffer of the wIPS Mode AP
that triggered the original alarm. This file is transferred to the Wireless LAN Controller via CAPWAP,
which then forwards the forensic file via NMSP to the wIPS Service running on the Mobility Services
Engine. The file is stored within the forensic archive on the MSE until the user configured disk space
limit for forensics is reached. By default this limit is 20Gigabytes, which when reached will cause the
oldest forensic files to be removed. Access to the forensic file can be obtained by opening the alarm on
the Prime Infrastructure, which contains a hyperlink to the forensic file. The files are stored as a ‘.CAP’
file format which can be opened by either WildPacket’s Omnipeek, AirMagnet Wi-Fi Analyzer,
Wireshark or any other packet capture program which supports this format. Wireshark is available at
.