Cisco Cisco WAP351 Wireless-N Dual Radio Access Point with 5-Port Switch 관리 매뉴얼
Administration
Packet Capture
Cisco WAP131 and WAP351 Administration Guide
61
3
When you are capturing traffic on the radio interface, you can disable beacon
capture, but other 802.11 control frames are still sent to Wireshark. You can set up
a display filter to show only:
capture, but other 802.11 control frames are still sent to Wireshark. You can set up
a display filter to show only:
•
Data frames in the trace
•
Traffic on specific Basic Service Set IDs (BSSIDs)
•
Traffic between two clients
Some examples of useful display filters are:
•
Exclude beacons and ACK/RTS/CTS frames:
!(wlan.fc.type_subtype == 8 | | wlan.fc.type == 1)
•
Data frames only:
wlan.fc.type == 2
•
Traffic on a specific BSSID:
wlan.bssid == 00:02:bc:00:17:d0
•
All traffic to and from a specific client:
wlan.addr == 00:00:e8:4e:5f:8e
In remote capture mode, traffic is sent to the computer running Wireshark through
one of the network interfaces. Depending on the location of the Wireshark tool, the
traffic can be sent on an Ethernet interface or one of the radios. To avoid a traffic
flood caused by tracing the packets, the WAP device automatically installs a
capture filter to filter out all packets destined to the Wireshark application. For
example, if the Wireshark IP port is configured to be 58000, then this capture filter
is automatically installed on the WAP device:
one of the network interfaces. Depending on the location of the Wireshark tool, the
traffic can be sent on an Ethernet interface or one of the radios. To avoid a traffic
flood caused by tracing the packets, the WAP device automatically installs a
capture filter to filter out all packets destined to the Wireshark application. For
example, if the Wireshark IP port is configured to be 58000, then this capture filter
is automatically installed on the WAP device:
not port range 58000-58004
Due to performance and security issues, the packet capture mode is not saved in
NVRAM on the WAP device. If the WAP device resets, the capture mode is
disabled and then you must enable it again to resume capturing traffic. Packet
capture parameters (other than the mode) are saved in NVRAM.
NVRAM on the WAP device. If the WAP device resets, the capture mode is
disabled and then you must enable it again to resume capturing traffic. Packet
capture parameters (other than the mode) are saved in NVRAM.
Enabling the packet capture feature can create a security issue: Unauthorized
clients may be able to connect to the WAP device and trace user data. The
performance of the WAP device also is negatively impacted during packet
capture, and this impact continues to a lesser extent even when there is no active
Wireshark session. To minimize the performance impact on the WAP device during
traffic capture, install capture filters to limit which traffic is sent to the Wireshark
clients may be able to connect to the WAP device and trace user data. The
performance of the WAP device also is negatively impacted during packet
capture, and this impact continues to a lesser extent even when there is no active
Wireshark session. To minimize the performance impact on the WAP device during
traffic capture, install capture filters to limit which traffic is sent to the Wireshark