Saturday, January 9, 2016

Wifi off the air packet capture using Aerohive APs

I am sure you have seen many articles about how to use a Cisco AP as a wifi sniffer or use airmon-ng and Alfa AWUS051NH, or macbook wireless diagnostics tool. It seems like not many people are using the Aerohive APs' remote pcap feature which is a fantastic tool that capture and forward pkts directly to Wireshark.

*** Use a newer AP like AP121, AP130, AP330, AP370, AP230.

You need a Windows PC with Wireshark , only winpcap supports the remote capture function. If you already have an Aerohive deployment just find the AP and enable remote sniffer from the HiveManager,




If you want to use an AP as a standalone sniffer, you need to power up the AP using a 12V 2A power adaptor and connect it directly to a windows PC using ethernet cable and follow the instructions below,







1) Connect a cisco console to the AP and monitor the console output while pressing and holding the reset button,




2) Login using default username/password admin/aerohive and set an IP address


interface mgt0 ip 192.168.100.2/24





3) Enable remote sniffer

AH-016e80#exec capture remote-sniffer promiscuous 
sniffer device eth0sniffer started.
sniffer device eth1sniffer started.

AH-016e80#

4) set the radio channel you want to listen to

AH-016e80#interface wifi0 radio channel 6     --> to set the 2.4GHz channel
AH-016e80#
AH-016e80#interface wifi1 radio channel 36   --> to set the 5GHz channel

AH-016e80#

5) connect the AP to a Windows PC using ethernet cable


6) Set a static IP in the PC in the same subnet as the AP's IP address



7) Start capture from Wireshark,  These steps are the same when enabled remote sniffer using command line interface or HiveManager,










Start the capture ,



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)