Sniffer Mode

Sniffer

A sniffer is a network monitoring tool that

  • captures and forwards packets on a specified channel to a remote packet analyzer

  • allows monitoring and recording of network activity

  • detects network problems, and

  • receives encapsulated 802.11 traffic at the packet analyzer.

Key characteristics

  • Network packet capture: The sniffer captures live packets and forwards them to a packet analyzer for inspection.

  • Protocol support: It works with protocols like Airopeek for encapsulation and transfer via specified UDP ports.

  • Management integration: Sniffers can be configured through AP modes and require resetting to revert to normal operations.

Recommendations

  • Use Clear in AP mode to return the AP back to client-serving mode, such as local or FlexConnect depending on the remote site tag configuration.

  • Do not use the AP command to change the CAPWAP mode.

XOR radio roles

A XOR radio is a configuration that

  • allows the XOR radio to function in multiple modes via a single radio interface

  • eliminates the need to switch the entire AP into a separate mode, and

  • is implemented at the radio level and referred to as "roles."

XOR radio roles facilitate the operation of wireless network radios. This is specifically applicable to models like the Cisco Catalyst 2800, 3800, 4800, and 9100 series AP models. The Sniffer role, supported from the current release onwards, is offered alongside the Client Serving and Monitor roles.

Feature history for sniffer mode

Table 1. Feature history

Release

Feature

Feature information

Cisco IOS XE 17.8.1

XOR Radio Role Sniffer Support on the Access Point

The XOR radio in APs like Cisco 2800, 3800, 4800, and the 9100 series AP models support sniffer role in single radio interface.

Supporting reference information

The radio role is supported in both Local and FlexConnect modes.

Essential hardware and software for sniffer setup

  • A dedicated access point: An AP configured as a sniffer cannot simultaneously provide wireless access service on the network. To avoid disrupting coverage, use an access point that is not part of your existing wireless network.

  • A remote monitoring device: A computer capable of running the analyzer software.

  • Software, supporting files, plug-ins, or adapters: Your analyzer software may require specialized files to function effectively.

Restrictions on sniffer

  • These are the supported third-party network analyzer software applications:

    • Wildpackets Omnipeek or Airopeek

    • AirMagnet Enterprise Analyzer

    • Wireshark

  • The latest version of Wireshark can decode the packets by going to the Analyze mode. Select decode as , and switch UDP5555 to decode as PEEKREMOTE.

  • You cannot use Sniffer mode when the controller L3 interface is the Wireless Management Interface (WMI).

  • When an AP or a radio operates in the sniffer mode, irrespective of its current channel width settings, the AP sniffs or captures only on the primary channel.

  • Avoid enabling AP sniffer mode when the controller is connected to Cisco Application Centric Infrastructure (ACI) that uses default endpoint learning. For more information, refer to CSCwa45713.


Note
As both Cisco Catalyst 9166I and 9166D APs have XOR radios, a Board Device File (BDF) has to be loaded to initialize radio 2 for the radios of these APs to work as expected. While the BDF is being loaded and for the file to be loaded correctly, the firmware has to be made non-operational and radios have to be reset. This operation of radio reset due to firmware being non-operational for the purposes of loading the BDFs is deliberate and is an expected behavior. This operation can be observed in both the controller and Cisco Catalyst Center. We recommend that you ignore the core dump that is generated due to this deliberate operation.

How to configure sniffer

Configure an access point as sniffer (GUI)

This task guides you through configuring an access point to sniffer mode using the GUI, allowing the access point to capture wireless traffic in a specified location.

Procedure

Step 1

Choose Configuration > Wireless > Access Points.

Step 2

On the General tab, update the name of the AP. The AP name can be ASCII characters from 33 to 126, without leading and trailing spaces.

Step 3

Specify the physical location where the AP is present.

Step 4

Choose the Admin Status as Enabled if the AP is to be in enabled state.

Step 5

Choose the mode for the AP as Sniffer.

Step 6

In the Tags section, specify the appropriate policy, site, and RF tags that you created on the Configuration > Tags & Profiles > Tags page.

Note

 

If the AP is in sniffer mode, you do not want to assign any tag.

Step 7

Click Update & Apply to Device.

Step 8

Choose the mode for the AP as Clear to return the AP back to the client-serving mode depending on the remote site tag configuration.

Note

 

Changing the AP mode to Sniffer will set all radios to manual mode. A warning prompts you to revert the radio submode to AUTO if required when changing modes.

The AP is configured in sniffer mode, ready for capturing wireless traffic at the specified location.

Configure an access point as sniffer (CLI)

Set an AP to sniffer mode so that it can monitor network traffic.

Procedure

Step 1

Enable privileged EXEC mode.

Example:

Device>enable

Step 2

Configure the AP to function as a sniffer.

Example:

Device# ap name access1 mode sniffer

Where,

  • ap-name is the name of the Cisco lightweight access point.

  • Use the no form of this command to disable the access point as a sniffer.

The AP operates in sniffer mode, capturing and monitoring network traffic.

Enable or disable sniffing on the AP (GUI)

This task guides you through enabling or disabling sniffing mode on an AP using the GUI.

Before you begin

You must change the AP mode to sniffer mode.

Procedure

Step 1

Choose Configuration > Wireless > Access Points.

Step 2

On the Access Points page, click the AP name from the 6 GHz, 5 GHz, or 2.4 GHz list.

Step 3

In the Role Assignment section, select the Assignment Method as Sniffer.

Step 4

In the Sniffer Channel Assignment section, check the Sniffer Channel Assignment checkbox to enable.

Uncheck the checkbox to disable sniffing on the access point.

Step 5

From the Sniff Channel drop-down list, select the channel.

Note

 

By default, the Sniff Channel is set to 36 for the 5 GHz and 1 for the 2.4 GHz.

Step 6

Enter the IP address into the Sniffer IP field.

To validate the IP address, click Update & Apply to Device. If the IP address is valid, the Sniffer IP Status displays Valid.

Step 7

In the RF Channel Assignment section, configure these items:

Note

 

The section will be enabled for editing only if the Assignment Method is set to Custom.

  • From the RF Channel Width drop-down list, select the channel width.

  • From the Assignment Method drop-down list, choose the type of assignment.

Note

 

If you choose Custom, you must select a channel width and specify an RF channel number to the access point radio.

Step 8

Click Update & Apply to Device.

The AP is configured to either operate in sniffing mode or have sniffing mode disabled based on your choice.

Enable or disable sniffing on the AP (CLI)

This task enables you to manage the sniffing feature on an AP using CLI commands, specifically to enable or disable it as necessary.

Procedure

Step 1

Enable privileged EXEC mode.

Example:

Device> enable

Step 2

Enable sniffing on the AP.

Example:

Device# <userinput>ap name access1 sniff dot11b 1 9.9.48.5</userinput>

  • channel is the valid channel to be sniffed. For 802.11a, the range is 36 to 165. For 802.11b, the range is 1 to 14. For dot11 6 GHz, the range is between 1 and 233.

  • server-ip is the IP address of the machine running network monitoring software.

Step 3

Disable sniffing on the AP.

Example:

Device#<userinput>ap name access1 no sniff dot116ghz</userinput>

The sniffing feature is enabled or disabled on the AP based on the commands executed. Ensure that you verify the current status of the configuration.

Configure XOR radio role sniffer support on the access point (CLI)

Enable the XOR radio on a AP to operate as a sniffer by manually configuring its role and settings through CLI.

Procedure

Step 1

Enable privileged EXEC mode. Enter your password, if prompted.

Example:

Device> enable

Step 2

Shut down the XOR radio.

Example:

Device# ap name AP687D.B45C.189C dot11 dual-band shutdown

Step 3

Convert the XOR radio role to manual.

Example:

Device# ap name ap-name dot11 dual-band role manual client-serving

Step 4

Configure XOR radio to manually operate in a specific band.

Example:

Device# ap name  AP687D.B45C.189C dot11 dual-band band 5ghz

Step 5

Enable XOR radio role Sniffer support on AP from the controller.

Example:

Device# ap name AP687D.B45C.189C dot11 dual-band radio role manual sniffer channel 100 ip 9.4.197.85

Where,

  • ap-name is the name of the Cisco lightweight access point.

  • channel-number is the channel number.

Step 6

Activate the XOR radio.

Example:

Device# ap name AP687D.B45C.189C no dot11 dual-band shutdown

Step 7

Return to privileged EXEC mode.

Example:

Device# end

Note

 

When configuring the radio to work as a Sniffer in the 5 GHz band, make sure to change the band of the radio manually.

XOR radio on the AP is configured to operate as a sniffer, allowing you to monitor and analyze wireless traffic on a specified channel.

Verify sniffer configurations

Use these commands to verify sniffer configurations on AP and gather specifics regarding the sniffing setup in multiple bands and slots.

Table 2. Commands for verifying sniffer configurations
Commands Description

show ap name ap-name config dot11 {24ghz | 5ghz | 6ghz | dual-band}

Displays the sniffing details.

show ap name ap-name config slot slot-ID

Displays the sniffing configuration details.

slot-ID ranges from 0 to 3. All access points have slot 0 and 1.

Verify XOR radio role sniffer configuration

To verify the XOR radio role sniffer configuration for a given AP, use this command:

Device# show ap name AP687D.B45C.189C config slot 0

Sniffing                                        : Enabled
Sniff Channel                                   : 6
Sniffer IP                                      : 198.51.100.10
Sniffer IP Status                               : Valid
ATF Mode                                        : Disable
ATE Optimization                                : N/A
AP Submode                                      : Not Configured
Remote AP Debug                                 : Disabled
Logging Trap Severity Level                     : information
Software Version                                : 17.9.0.18
Boot Version                                    : 1.1.2.4
Mini IOS Version                                : 0.0.0.0
Stats Reporting Period                          : 60
primary_discovery_timer                         : 120
LED State                                       : Enabled
LED Flash State                                 : Enabled
LED Flash Timer                                 : 0
PoE Pre-Standard Switch                         : Disabled
PoE Power Injector MAC Address                  : Disabled
Power Type/Mode                                 : PoE/Full Power
Number of Slots                                 : 4
AP Model                                        : C9136I-B
IOS Version                                     : 17.9.0.18
Reset Button                                    : Disabled
AP Serial Number                                : FOC25322JJZ
AP Certificate Type                             : Manufacturer Installed Certificate
AP Certificate Expiry-time                      : 08/09/2099 20:58:26
AP Certificate issuer common-name               : High Assurance SUDI CA
AP Certificate Policy                           : Default
AP CAPWAP-DTLS LSC Status
    Certificate status        : Not Available
AP 802.1x LSC Status
    Certificate status        : Not Available
AP User Name                                    : admin
AP 802.1X User Mode                             : Global
AP 802.1X User Name                             : Not Configured
Cisco AP System Logging Host                    : 203.0.113.10
AP Up Time                                      : 4 hours 20 minutes 55 seconds
AP CAPWAP Up Time                               : 4 hours 16 minutes 17 seconds
Join Date and Time                              : 01/19/2022 03:06:12
 
Attributes for Slot 0
  Radio Type                                    : 802.11ax - 2.4 GHz
  Radio Mode                                    : Sniffer
  Radio Role                                    : Sniffer
  Maximum client allowed                        : 400
  Radio Role Op                                 : Manual
  Radio SubType                                 : Main
  Administrative State                          : Enabled
  Operation State                               : Up

Examples for sniffer configurations and monitoring

This example shows how to configure an AP as sniffer:

Device# ap name access1 mode sniffer
This example shows how to enable sniffing on the AP:

Device# ap name sniffer dot11 5ghz sniff 44 1.1.1.1
This example shows how to disable sniffing on the AP:

Device# ap name access1 no sniff dot11b
This example shows how to display the sniffing configuration details:

Device# show ap name access1 config dot11 24ghz
Device# show ap name access1 config slot 0