User's Manual
$GPLQLVWUDWLRQ
Packet Capture
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 94
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
When the remote capture mode is in use, the AP does not store any captured data
locally in its file system.
Your can trace up to five interfaces on the AP at the same time. However, you must
start a separate Wireshark session for each interface. You can configure the IP
port number used for connecting Wireshark to the AP. The default port number is
2002. The system uses five consecutive port numbers, starting with the
configured port for the packet capture sessions.
If a firewall is installed between the Wireshark PC and the AP, these ports must be
allowed to pass through the firewall. The firewall must also be configured to allow
the Wireshark PC to initiate TCP connection to the AP.
To configure Wireshark to use the AP as the source for captured packets, you must
specify the remote interface in the "Capture Options" menu. For example to
capture packets on an AP with IP address 192.168.1.10 on radio 1 using the default
IP port, specify the following interface:
rpcap://192.168.1.10/radio1
To capture packets on the Ethernet interface of the AP and VAP0 on radio 1 using
IP port 58000, start two Wireshark sessions and specify the following interfaces:
rpcap://192.168.1.10:58000/eth0
rpcap://192.168.1.10:58000/wlan0
When you are capturing traffic on the radio interface, you can disable beacon
capture, but other 802.11 control frames are still sent to Wireshark. You can set up
a display filter to show only:
• Data frames in the trace
• Traffic on specific BSSIDs
• Traffic between two clients
Some examples of useful display filters are:
• Exclude beacons and ACK/RTS/CTS frames:
!(wlan.fc.type_subtype == 8 || wlan.fc.type == 1)
• Data frames only:
wlan.fc.type == 2
• Traffic on a specific BSSID:
wlan.bssid == 00:02:bc:00:17:d0