This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture connected devices data and access point data

0

Hi,

We are running wireshark on a network switch that manages a WIFI network made out of several Access Points.

We are interested in finding packets information on wireshark to allow us to trace the access point being used by each connected device. We are not interested in knowing the traffic they generate, only which devices are connected, where and for how long.

We work in a large campus and the requirement is to find out where are people connected at any given time.

Thanks for your help.

asked 15 Feb '17, 22:08

Xavier's gravatar image

Xavier
6112
accept rate: 0%


One Answer:

1

This is best left to specific tools for the job, such as Cisco's Prime Infrastructure software suite. Other large vendors have similar tools - try Aruba/HP's Airwave tool, or Extreme Networks Management Center.

You don't describe the architecture so it really is not clear how you would deploy a packet sniffer solution to get at the information you need. At the lowest level, if they are just a bunch of standalone APs then you would need to capture data from each one - I guess you could link traffic to/from a particular AP based on physical port, so you might need one port mirror or tap per AP. Perhaps you are routing so would consider grabbing all the data to/from the router (say if you implemented a 'router on a stick' type network) but if these are just basic wireless bridges, you would lose which data came from which AP. I guess you could have separate VLANs for each AP and could track that way - with a different subnet/DHCP server on each vlan you would know then by DHCP logs who is where, but at this point you are just moving the problem. I have been to facilities with 1000's of APs - I would not enjoy setting up infrastructure in this way.

If you have a wireless controller (which you should really have if you have a large campus and more than a handful of access points), it may give you some of the information you are looking for already in the monitoring section of the config tool (maybe https or CLI based, whatever). Probably not as good or as rich of a data set as you get with the network managers, but still probably easier to implement than with a packet capture system. For instance, you can probably get which device is connected where at this instant, but there would no historical capability. With the management tools, they can can give you history so you can see number of devices, which band, how much throughput, etc., throughout a period of time. Quite valuable as a whole, and then of course you get the individual device level as well - what was the throughput, signal strength, connected AP, etc., for this specific device over the past 15 days? Helps with troubleshooting.

If you had a large campus, it is unlikely that each AP is terminated at the same switch. Usually cat5/6 cable run limits require that APs be placed on the edge, which would further complicate data gathering through a sniffer mechanism. I guess Remote SPAN and similar concepts could be used, but with the proliferation of 802.11ac technologies, at some point you will run out of wired bandwidth if you are going to tunnel all wifi traffic back to a single location.

answered 16 Feb '17, 03:22

Bob%20Jones's gravatar image

Bob Jones
1.0k2515
accept rate: 21%

The one thing that I would add: If you HAVE to use a packet capturing tool to determine the connected clients, I would recommend using dumpcap instead of Wireshark.

https://www.wireshark.org/docs/man-pages/dumpcap.html

When capturing large amounts of packets for an extended period time, there are some known limitations using Wireshark. In order to optimize system memory usage, the program tool dumpcap.exe, which accompanies the Wireshark installation, can be utilized.

(16 Feb '17, 07:15) Amato_C