Filter
Top Products
Administration
Packet Capture
Cisco Small Business WAP551 and WAP561 Wireless-N Access Point 50
3
In remote capture mode, traffic is sent to the computer running Wireshark through
one of the network interfaces. Depending on the location of the Wireshark tool, the
traffic can be sent on an Ethernet interface or one of the radios. To avoid a traffic
flood caused by tracing the packets, the WAP device automatically installs a
capture filter to filter out all packets destined to the Wireshark application. For
example, if the Wireshark IP port is configured to be 58000, then this capture filter
is automatically installed on the WAP device:
not portrange 58000-58004
Due to performance and security issues, the packet capture mode is not saved in
NVRAM on the WAP device; if the WAP device resets, the capture mode is
disabled and then you must reenable it to resume capturing traffic. Packet capture
parameters (other than mode) are saved in NVRAM.
Enabling the packet capture feature can create a security issue: Unauthorized
clients may be able to connect to the WAP device and trace user data. The
performance of the WAP device also is negatively impacted during packet
capture, and this impact continues to a lesser extent even when there is no active
Wireshark session. To minimize the performance impact on the WAP device during
traffic capture, install capture filters to limit which traffic is sent to the Wireshark
tool. When capturing 802.11 traffic, a large portion of the captured frames tends to
be beacons (typically sent every 100 ms by all APs). Although Wireshark supports
a display filter for beacon frames, it does not support a capture filter to prevent the
WAP device from forwarding captured beacon packets to the Wireshark tool. To
reduce the performance impact of capturing the 802.11 beacons, disable the
capture beacons mode.
You can download a capture file by TFTP to a configured TFTP server, or by
HTTP(S) to a computer. A capture is automatically stopped when the capture file
download command is triggered.
Because the capture file is located in the RAM file system, it disappears if the WAP
device is reset.
To download a packet capture file using TFTP:
STEP 1 Select Use TFTP to download the capture file.
STEP 2 Enter the TFTP Server Filename to download if different from the default. By
default, the captured packets are stored in the folder file /tmp/apcapture.pcap on
the WAP device.
STEP 3 Specify a TFTP Server IPv4 Address in the field provided.