Manualshelf

User`s manual

ManualsBrandsD-Link ManualsComputer equipmentDWL-8220AP - AirPremier Wireless Switch Dualband Access Point
391392393394395396397398399400
393
DWS-1008 User’s Manual
D-Link Systems, Inc.
Appendix A - Troubleshooting
Remotely Monitoring Trafc
Remote trafc monitoring enables you to snoop wireless trafc, by using a Distributed AP
as a snifng device. The AP copies the sniffed 802.11 packets and sends the copies to an
observer, which is typically a protocol analyzer such as Ethereal or Tethereal.
How Remote Trafc Monitoring Works
To monitor wireless trafc, an AP radio compares trafc sent or received on the radio to
snoop lters applied to the radio by the network administrator. When an 802.11 packet
matches all conditions in a lter, the AP encapsulates the packet in a Tazmen Sniffer Protocol
(TZSP) packet and sends the packet to the observer host IP addresses specied by the lter.
TZSP uses UDP port 37008 for its transport. (TZSP was created by Chris Waters of Network
Chemistry.)
You can map up to eight snoop lters to a radio. A lter does not become active until you
enable it. Filters and their mappings are persistent and remain in the conguration following
a restart. However, lter state is not persistent. If the switch or the AP is restarted, the lter is
disabled. To continue using the lter, you must enable it again.
Using Snoop Filters on Radios That Use Active Scan
When active scan is enabled in a radio prole, the radios that use the prole actively scan
other channels in addition to the data channel that is currently in use. Active scan operates
on enabled radios and disabled radios. In fact, using a disabled radio as a dedicated scanner
provides better rogue detection because the radio can spend more time scanning on each
channel.
When a radio is scanning other channels, snoop lters that are active on the radio also
snoop trafc on the other channels. To prevent monitoring of data from other channels, use
the channel option when you congure the lter, to specify the channel on which you want
to scan.
All Snooped Trafc Is Sent in the Clear
Trafc that matches a snoop lter is copied after it is decrypted. The decrypted (clear) version
is sent to the observer.
Best Practices for Remote Trafc Monitoring
Do not specify an observer that is associated with the AP where the snoop lter is
running. This conguration causes an endless cycle of snoop trafc.