Sniffer Mode

Sniffer

A sniffer is a network monitoring tool that

  • captures and forwards packets on a specified channel to a remote packet analyzer

  • allows monitoring and recording of network activity

  • detects network problems, and

  • receives encapsulated 802.11 traffic at the packet analyzer.

Key characteristics

  • Network packet capture: The sniffer captures live packets and forwards them to a packet analyzer for inspection.

  • Protocol support: It works with protocols like Airopeek for encapsulation and transfer via specified UDP ports.

  • Management integration: Sniffers can be configured through AP modes and require resetting to revert to normal operations.

Recommendations

  • Use Clear in AP mode to return the AP back to client-serving mode, such as local or FlexConnect depending on the remote site tag configuration.

Essential hardware and software for sniffer setup

You will need the following hardware and software to perform sniffing:

  • A dedicated access point: An AP configured as a sniffer cannot simultaneously provide wireless access service on the network. To avoid disrupting coverage, use an access point that is not part of your existing wireless network.

  • A remote monitoring device: A computer capable of running the analyzer software.

  • Software, supporting files, plug-ins, or adapters: Your analyzer software may require specialized files to function effectively.

Restrictions on sniffer

  • These are the supported third-party network analyzer software applications:

    • Wildpackets Omnipeek or Airopeek

    • AirMagnet Enterprise Analyzer

    • Wireshark

  • The latest version of Wireshark can decode the packets by going to the Analyze mode. Select decode as , and switch UDP5555 to decode as PEEKREMOTE.

  • You cannot use Sniffer mode when the controller L3 interface is the Wireless Management Interface (WMI).


Note
As both Cisco Catalyst 9166I and 9166D APs have XOR radios, a Board Device File (BDF) has to be loaded to initialize radio 2 for the radios of these APs to work as expected. While the BDF is being loaded and for the file to be loaded correctly, the firmware has to be made non-operational and radios have to be reset. This operation of radio reset due to firmware being non-operational for the purposes of loading the BDFs is deliberate and is an expected behavior. This operation can be observed in both the controller and Cisco Catalyst Center. We recommend that you ignore the core dump that is generated due to this deliberate operation.

How to Configure Sniffer

Configure an access point as sniffer (GUI)

This task guides you through configuring an access point to sniffer mode using the GUI, allowing the access point to capture wireless traffic in a specified location.

Procedure

Step 1

Choose Configuration > Wireless > Access Points.

Step 2

On the General tab, update the name of the AP. The AP name can be ASCII characters from 33 to 126, without leading and trailing spaces.

Step 3

Specify the physical location where the AP is present.

Step 4

Choose the Admin Status as Enabled if the AP is to be in enabled state.

Step 5

Choose the mode for the AP as Sniffer.

Step 6

In the Tags section, specify the appropriate policy, site, and RF tags that you created on the Configuration > Tags & Profiles > Tags page.

Note

 

If the AP is in sniffer mode, you do not want to assign any tag.

Step 7

Click Update & Apply to Device.

Step 8

Choose the mode for the AP as Clear to return the AP back to the client-serving mode depending on the remote site tag configuration.

The AP is configured in sniffer mode, ready for capturing wireless traffic at the specified location.

Configure an access point as sniffer (CLI)

Set an AP to sniffer mode so that it can monitor network traffic.

Procedure

Step 1

Enable privileged EXEC mode.

Example:

Device>enable

Step 2

Configure the AP to function as a sniffer.

Example:

Device# ap name access1 mode sniffer

Where,

  • ap-name is the name of the Cisco lightweight access point.

  • Use the no form of this command to disable the access point as a sniffer.

The AP operates in sniffer mode, capturing and monitoring network traffic.

Enable or Disable sniffing on the access point (GUI)

This task guides you through enabling or disabling sniffing mode on an AP using the GUI.

Before you begin

You must change the AP mode to sniffer mode.

Procedure

Step 1

Choose Configuration > Wireless > Access Points.

Step 2

On the Access Points page, click the AP name from the 5 GHz or 2.4 GHz list.

Step 3

In the Edit Radios > Configure > Sniffer Channel Assignment section, check the Sniffer Channel Assignment checkbox to enable.

Uncheck the checkbox to disable sniffing on the access point.

Step 4

From the Sniff Channel drop-down list, select the channel.

Step 5

Enter the IP address into the Sniffer IP field.

Step 6

In the RF Channel Assignment section, configure these items:

Note

 

The section will be enabled for editing only if the Assignment Method is set to Custom.

  • From the RF Channel Width drop-down list, select the channel width.

  • From the Assignment Method drop-down list, choose the type of assignment.

Note

 

If you choose Custom, you must select a channel width and specify an RF channel number to the access point radio.

Step 7

Click Update & Apply to Device.

The AP is configured to either operate in sniffing mode or have sniffing mode disabled based on your choice.

Enable or Disable sniffing on the access point (CLI)

This task enables you to manage the sniffing feature on an AP using CLI commands, specifically to enable or disable it as necessary.

Procedure

Step 1

Enable privileged EXEC mode.

Example:

Device> enable

Step 2

Enable sniffing on the AP.

Example:

Device# <userinput>ap name access1 dot11 6ghz slot 3 sniff 1 9.9.48.5</userinput>

  • channel is the valid channel to be sniffed. For 802.11a, the range is 36 to 165. For 802.11b, the range is 1 to 14.

  • server-ip-address is the IP address of the remote machine running Omnipeek, Airopeek, AirMagnet, or Wireshark software.

Step 3

Disable sniffing on the AP.

Example:

Device#<!--<userinput>ap name access1 no sniff dot11b</userinput>--><userinput>ap name access1 no sniff dot11b</userinput>

The sniffing feature is enabled or disabled on the AP based on the commands executed. Ensure that you verify the current status of the configuration.

Verify sniffer configurations

Use these commands to verify sniffer configurations on AP and gather specifics regarding the sniffing setup in multiple bands and slots.

Table 1. Commands for verifying sniffer configurations
Commands Description

show ap name ap-name config dot11 {24ghz | 5ghz | dual-band}

Displays the sniffing details.

show ap name ap-name config slot slot-ID

Displays the sniffing configuration details.

slot-ID ranges from 0 to 3. All access points have slot 0 and 1.

Examples for sniffer configurations and monitoring

This example shows how to configure an AP as sniffer:

Device# ap name access1 mode sniffer
This example shows how to enable sniffing on the AP:

Device# ap name sniffer dot11 5ghz sniff 44 1.1.1.1
This example shows how to disable sniffing on the AP:

Device# ap name access1 no sniff dot11b
This example shows how to display the sniffing configuration details:

Device# show ap name access1 config dot11 24ghz
Device# show ap name access1 config slot 0