Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[WLA/WLC] How to use a snoop filter configured on an AP to collect wireless packet captures

0

0

Article ID: KB25108 KB Last Updated: 06 Jul 2012Version: 1.0
Summary:
This article provides information on how to use a snoop filter, which is configured on an AP, to collect wireless packet captures.
Symptoms:
  • Advanced troubleshooting usually involves low-level debugging at the packet level.

  • In a Windows environment, you will be unable to directly capture packets with a wireless NIC, due to the driver limitations.
Cause:

Solution:
  1. Identify the AP that needed to be monitored and an AP to sniff the wireless traffic.

    Note: These two APs have to operate on the same channel and be in the same coverage area.

  2. Configure the AP, which is used for sniffing, in the sentry mode:

    Make sure that the AP being used for sniffing is configured in the sentry mode, so that you do not add interference. In normal circumstances, 2 APs in close proximity, which are operating on the same channel, are interfering. But when an AP is operating in sentry mode, it will listen for traffic only on the specified channel, rather than broadcasting traffic.

    To configure an AP to operate in the sentry mode, use the following command:
    set ap <x> radio <y> mode sentry
  3. Configure the snoop observer:

    This is a wired machine that has Wireshark installed on it and a L3 connection with the sniffing AP.

    set snoop observer <ip address of the observer, on which Wireshark is installed> transmission-mode tzsp
  4. Configure the snoop filter:
    set snoop filter test channel eq <operating channel of the test APs> observer <ip address of the observer> set snoop filter test mode enable
  5. Apply the snoop filter to the sniffing AP:
    set ap <ap number of AP used for sniffing> radio <x> snoop test
  6. Start a capture in Wireshark:

    Start a capture in Wireshark on the Ethernet interface, which holds the connection with the sniffing AP, and do not forget to select the Capture packets in promiscuous mode option.

Note:

The above procedure does not have the necessary resolution to capture large amounts of traffic; but to inspect specific packets (association requests, beacons, and so on). To capture large amounts of traffic, refer to the following articles:

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search