Figure 56 - Remote Packet Capture - D-Link DWL-2600AP Administrator's Manual

Unified

Hide thumbs Also See for DWL-2600AP:

Quick installation manual (4 pages)

Quick installation manual (5 pages)

User manual (754 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

page of 130

/ 130
Contents
Table of Contents
Bookmarks

Table of Contents

Unified Access Point Administrator's Guide

To capture packets on the Ethernet interface of the AP and VAP0 on radio 1 using IP port 58000, start two Wireshark

sessions and specify the following interfaces:

rpcap://192.168.1.10:58000/eth0

rpcap://192.168.1.10:58000/wlan0

When you are capturing traffic on the radio interface, you can disable beacon capture, but other 802.11 control frames

are still sent to Wireshark. You can set up a display filter to show only:

•) Data frames in the trace.

•) Traffic on specific BSSIDs.

•) Traffic between two clients.

Some examples of useful display filters are:

•) Exclude beacons and ACK/RTS/CTS frames:

!(wlan.fc.type_subtype == 8 || wlan.fc.type == 1)

•) Data frames only:

wlan.fc.type == 2

•) Traffic on a specific BSSID:

wlan.bssid == 00:02:bc:00:17:d0

•) All traffic to and from a specific client:

wlan.addr == 00:00:e8:4e:5f:8e

In remote capture mode, traffic is sent to the PC running Wireshark via one of the network interfaces. Depending on

where the Wireshark tool is located the traffic can be sent on an Ethernet interface or one of the radios. In order to

avoid a traffic flood caused by tracing the trace packets, the AP automatically installs a capture filter to filter out all

packets destined to the Wireshark application. For example if the Wireshark IP port is configured to be 58000 then the

following capture filter is automatically installed on the AP:

not portrange 58000-58004.

Enabling the packet capture feature impacts performance of the AP and can create a security issue (unauthorized

clients may be able to connect to the AP and trace user data). The AP performance is negatively impacted even if

there is no active Wireshark session with the AP. The performance is negatively impacted to a greater extent when

packet capture is in progress.

Due to performance and security issues, the packet capture mode is not saved in NVRAM on the AP; if the AP resets,

the capture mode is disabled and the you must re-enable it in order to resume capturing traffic. Packet capture

parameters (other than mode) are saved in NVRAM.

In order to minimize performance impact on the AP while traffic capture is in progress, you should install capture filters

to limit which traffic is sent to the Wireshark tool. When capturing 802.11 traffic, large portion of the captured frames

tend to be beacons (typically sent every 100ms by all Access Points). Although Wireshark supports a display filter for

beacon frames, it does not support a capture filter to prevent the AP from forwarding captured beacon packets to the

Wireshark tool. In order to reduce performance impact of capturing the 802.11 beacons, you can disable the capture

beacons mode.

The remote packet capture facility is a standard feature of the Wireshark tool for Windows.

Note: Remote packet capture is not standard on the Linux version of Wireshark; the Linux version

doesn't work with the AP.

Wireshark is an open source tool and is available for free; it can be downloaded from http://www.wireshark.org.

The following table describes the fields to configure the packet capture status.

January 2015