Specifications

ManualsBrandsEnterasys ManualsComputer equipmentRoamAbout RBT-8100

521

522

523

524

525

526

527

528

529

530

Remotely Monitoring Traffic

RoamAbout Mobility System Software Configuration Guide A-15

Remotely Monitoring Traffic

Remotetrafficmonitoringenablesyoutosnoopwirelesstraffic,byusingaDistributedAPasa

sniffingdevice.TheAPcopies thesniffed802.11packetsandsendsthecopiestoanobserver,

whichistypicallyaprotocolanalyzersuchasEtherealorTethereal.

How Remote Traffic Monitoring Works

Tomonitorwirelesstraffic,anAPradiocomparestrafficsentorreceivedontheradiotosnoop

filtersappliedtotheradiobythenetworkadministrator.Whenan802.11packetmatchesall

conditionsinafilter,theAPencapsulatesthepacketinaTazmenSnifferProtocol(TZSP)packet

andsendsthe

packettotheobserverhostIPaddressesspecifiedbythefilter.TZSPusesUDPport

37008foritstransport.(TZSPwascreatedby ChrisWatersofNetworkChemistry.)

Youcanmapuptoeightsnoopfilterstoaradio.Afilterdoesnotbecomeactiveuntilyouenableit.

Filtersand

theirmappingsarepersistentandremainintheconfigurationfollowingarestart.

However,filterstateisnotpersistent.IftheswitchortheAPisrestarted,thefilterisdisabled.To

continueusingthefilter,youmustenableitagain.

Using Snoop Filters on Radios That Use Active Scan

Whenactivescanisenabledinaradioprofile,theradiosthatusetheprofileactivelyscanother

channelsinadditiontothedatachannelthatiscurrentlyinuse.Activescanoperatesonenabled

radiosanddisabledradios.Infact,usingadisabledradioasadedicatedscannerprovidesbetter



roguedetectionbecausetheradiocanspendmoretimescanningoneachchannel.

Whenaradioisscanningotherchannels,snoopfiltersthatareactiveontheradioalsosnoop

trafficontheotherchannels.Topreventmonitoringofdatafromotherchannels,usethechannel

optionwhenyouconfigure

thefilter,tospecifythechannelonwhichyouwanttoscan.

All Snooped Traffic Is Sent in the Clear

Trafficthatmatchesasnoopfilteriscopiedafteritisdecrypted.Thedecrypted(clear)versionis

senttotheobserver.

Best Practices for Remote Traffic Monitoring

•DonotspecifyanobserverthatisassociatedwiththeAPwherethesnoopfilterisrunning.

Thisconfigurationcausesanendlesscycleofsnooptraffic.

•IfthesnoopfilterisrunningonaDistributedAP,andtheAPusedaDHCPserverinitslocal

subnettoconfigureitsIP

information,andtheAPdidnotreceiveadefaultrouter(gateway)

addressasaresult,theobservermustalsobeinthesamesubnet.Withoutadefaultrouter,the

APcannotfindtheobserver.

•TheAPthatisrunningasnoopfilterforwardssnoopedpacketsdirectlytotheobserver.This

aone‐waycommunication,fromtheAPtotheobserver.Iftheobserverisnotpresent,the

APstillsend sthesnooppackets,whichusebandwidth.Iftheobserverispresentbutisnot

listeningtoTZSPtraffic,theobservercontinuouslysendsICMPerrorindicationsbacktothe

AP.These

ICMPmessagescanaffectnetworkandAPperformance.