12/12/2023 0 Comments Wireshark capture filter rdpWith our setup the capture will consist several frames from the same transmission, from the capture points. Now the two captures will merge together and since they both uses the same clock from the MacBook all the frames will be stacked in the correct order Save your wired capture from Wireshark to the desktop.Ĭlean your window in Wireshark with File/Close.ĭrag the two captures from Desktop into Wireshark. – Wait until the wireless client is connectedĪirtool will automatically save the capture on your desktop. – Activate your client on the flex connect SSID and log on with your username and password – Start wireless capture in Airtool at the channel your SSID are transmitting – Start the capture in Wireshark on your ethernet-port It´s also best to “forget” the actual SSID on the client so that we are sure the client have to go through the hole 802.1X EAP-process The client wifi-nic either deactivated or connected to another SSID. MacBook connected to SW1, g1/0/3, via ethernetport To capture the wireless frames I´am using a MacBook Pro and Airtool from Adrian Granados. – monitor session 1 destination interface g1/0/3 encapsulation replicate – monitor session 1 source interface g1/0/14, g1/0/28 Some switches will not distribute vlan-tags natively on SPAN-port so I had to configure it. I am using Cisco equipment so it´s possible to use SPAN-ports (port mirroring). To manage that we have to capture into the air and at SW1 port g1/0/14 and g1/0/28 – between the client and the router when the client are authenticated and crypto keys are generated (ordinary traffic) – between the AP and the controller (WLC) – between the wireless client (client) and the access point (AP), in the air The client is now able to start the dhcp-process and all traffic flow in the flexconnect-vlan directly to the router (the green line) Phase 3: The supplicant (client) is authenticated and crypto keys are generated.When the last message (message 4 of 4) is acknowledged the virtual controlled port authenticator opens and traffic from the client will flow directly to the router in the flex-vlan Part 2 is creation of crypto keys (4-way handshake).It ends with an Access-Accept from the authentication server to the authenticator and EAP-Success from the authenticator to the supplicant Part 1 is the authentication of the client.An important part of this process is the traffic flow between the authenticator and authentication server (the blue line) The virtual uncontrolled port on the authenticator opens and allow EAP-traffic through (the red line). Phase 2: Starts with the authenticator (WLC) sends request identity to the supplicant (client) and the supplicant respond.Phase 1: Establish 802.11 data link: probe request/response, authentication and association between the client and the AP.The traffic flow in this network is like this Mac-address on wifi-nic: 5c 51 81 22 4d a1 – WLC (authenticator): Wlan with wpa2-aes and 802.1X, access point in flexconnect with native vlan to 1716 and the flex WLAN mapped to vlan 2000 Free Radius server, configured for EAP-PEAP and EAP-MSCHAPv2 – Router, two LAN-subinterfaces and internal dhcp-server for both subinterfaces, nat against internet – SW2, all vlans enabled on all trunkports – SW2 with AP, trunk against AP with vlan 1716 (ap management) and vlan 2000 (flex WLAN), 1716 as native vlan Things not (yet) part of the Wireshark User's Guide.How to capture frames in Wireshark on a network with WPA2 Enterprise and AP in FlexConnect using MacBook NetworkTroubleshooting: Information about tracking down network problemsīuildingAndInstalling: Building and Installing Wireshark (Developer’s Guide) (archived BuildingAndInstalling)ĬaptureSetup: How to setup your network to successfully capture packetsĬaptureSetup/Ethernet: Discusses capturing on switched Ethernet networksĬaptureSetup/WLAN: Frequently asked WLAN capture setup info SampleCaptures: Sample capture files for your edification and amusement HowToEdit: Information about how to edit the Wireshark wiki Wireshark is supported by the Wireshark Foundation. If you would like permission to edit this wiki, please see the editing instructions page (tl dr: send us a note with your GitLab account name or request access to the Wiki Editor group using the Gitlab feature). This is the wiki site for the Wireshark network protocol analyzer.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |