Wireshark-users: Re: [Wireshark-users] Question on wireless sniffing and Cisco AP modes
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 28 Apr 2009 16:02:44 -0700

On Apr 27, 2009, at 8:57 AM, Steven Pfister wrote:

I'm trying to learn a little about wireless troubleshooting. In reading about the sniffer mode of Cisco APs, a lot of the Cisco pages I've read say it requires Airopeek. But a Cisco Press book I'm reading says "operates with an Omnipeek, Airmagnet, or Wireshark server." Is there such a thing as a Wireshark server?

Perhaps there is, but nobody appears to have bothered to tell the Wireshark core team about it. :-)

Googling for

	omnipeek wireshark airmagnet cisco access point

found

	http://www.cisco.com/en/US/docs/wireless/controller/5.0/configuration/guide/c5err.html

which says

	Prerequisites for Wireless Sniffing

To perform wireless sniffing, you need the following hardware and software:

o A dedicated access point—An access point configured as a sniffer cannot simultaneously provide wireless access service on the network. To avoid disrupting coverage, use an access point that is not part of your existing wireless network.

o A remote monitoring device—A computer capable of running the analyzer software.

o Windows XP or Linux operating system—The controller supports sniffing on both Windows XP and Linux machines.

o Software and supporting files, plug-ins, or adapters—Your analyzer software may require specialized files before you can successfully enable sniffing:

–Omnipeek or Airopeek—Go to http://www.wildpackets.com and follow the instructions to purchase, install, and configure the software.

–AirMagnet—Go to http://www.airmagnet.com/products/ea_cisco/#top and follow the instructions to purchase, install, and configure the software.

–Wireshark—Go to http://tools.cisco.com/support/downloads and follow the instructions to download Wireshark and the correct installation wizard for your operating system.

and then proceeds to talk about how to configure the access point - but *not* how to configure the sniffer.

Perhaps they've modified Wireshark - or libpcap/WinPcap - to support remote capture. Or perhaps, given that they mention setting the IP address of the sniffing machine, they have a server process to which the AP sends packets, and you have Wireshark capture from a named pipe that provides access to that server.