Filter
Top Products
Appendix A:Troubleshooting a WSS 685
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Remotely monitoring traffic
Remote traffic monitoring enables you to snoop wireless traffic, by using a AP as a sniffing device. The AP
copies the sniffed 802.11 packets and sends the copies to an observer, which is typically a protocol analyzer
such as Ethereal or Tethereal.
How remote traffic monitoring works
To monitor wireless traffic, an AP radio compares traffic sent or received on the radio to snoop filters applied
to the radio by the network administrator. When an 802.11 packet matches all conditions in a filter, the AP
encapsulates the packet in a Tazmen Sniffer Protocol (TZSP) packet and sends the packet to the observer host
IP addresses specified by the filter. TZSP uses UDP port 37008 for its transport. (TZSP was created by Chris
Waters of Network Chemistry.)
You can map up to eight snoop filters to a radio. A filter does not become active until you enable it. Filters and
their mappings are persistent and remain in the configuration following a restart. The filter state is also persis-
tent across restarts. Once a filter is enabled, if the switch or the AP is subsequently restarted, the filter remains
enabled after the restart. To stop using the filter, you must manually disable it.Using snoop filters on radios
that use Scheduled RF Scanning
When Scheduled RF Scanning is enabled in a radio profile, the radios that use the profile actively scan other
channels in addition to the data channel that is currently in use. Scheduled RF Scanning operates on enabled
radios and disabled radios. In fact, using a disabled radio as a dedicated scanner provides better rogue
detection because the radio can spend more time scanning on each channel.
When a radio is scanning other channels, snoop filters that are active on the radio also snoop traffic on the
other channels. To prevent monitoring of data from other channels, use the channel option when you
configure the filter, to specify the channel on which you want to snoop.
All snooped traffic is sent in the clear
Traffic that matches a snoop filter is copied after it is decrypted. The decrypted (clear) version is sent to the
observer.
Best practices for remote traffic monitoring
• Do not specify an observer that is associated with the AP where the snoop filter is running. This
configuration causes an endless cycle of snoop traffic.
• If the snoop filter is running on a AP, and the AP used a DHCP server in its local subnet to configure its
IP information, and the AP did not receive a default router (gateway) address as a result, the observer
must also be in the same subnet. Without a default router the AP cannot find the observer.
• The AP that is running a snoop filter forwards snooped packets directly to the observer. This is a one-way
communication, from the AP to the observer. If the observer is not present, the AP still sends the snoop
packets, which use bandwidth. If the observer is present but is not listening to TZSP traffic, the observer
continuously sends ICMP error indications back to the AP. These ICMP messages can affect network and
AP performance.