Troubleshooting Packet sniffer

Packet sniffer

Capturing the traffic between the controller and the FortiAP can help you identify most FortiAP and client connection issues.

This section describes the following recommended packet sniffing techniques:

l CAPWAP packet sniffer l Wireless traffic packet sniffer

CAPWAP packet sniffer

The first recommended technique consists of sniffing the CAPWAP traffic.

  • Enable plain control on the controller and on the FortiAP to capture clear control traffic on UDP port 5246.
  • On the controller: diagnose wireless-controller wlac plain-ctl <FortiAP_serial_number> 1

Result:

WTP 0-FortiAP2223X11000107 Plain Control: enabled l On the FortiAP: cw_diag plain-ctl 1

Result:

Current Plain Control: enabled

Note that some issues are related to the keep-alive for control and data channel.

  • Data traffic on UDP port 5247 is not encrypted. The data itself is encrypted by the wireless security mechanism.

Data traffic is helpful to troubleshoot most of the issues related to station association, EAP authentication, WPA key exchange, roaming, and FortiAP configuration.

You can also set up a host or server to which you can forward the CAPWAP traffic:

  1. Configure the host/server to which CAPWAP traffic is forwarded: diagnose wireless-controller wlac sniff-cfg <Host_IP_address> 88888

Result:

Current Sniff Server: 192.168.25.41, 23352

  1. Choose which traffic to capture, the interface to which the FortiAP is connected, and the FortiAP’s serial number: diagnose wireless-controller wlac sniff <interface_name> <FortiAP_serial_number> 2

Result:

Packet sniffer

WTP 0-FortiAP2223X11000107 Sniff: intf port2 enabled (control and data message)

In the above syntax, the ‘2’ captures the control and data message—’1′ would capture only the control message, and ‘0’ would disable it.

  1. Run Wireshark on the host/server to capture CAPWAP traffic from the controller. l Decode the traffic as IP to check inner CAPWAP traffic.

Example CAPWAP packet capture

The following image shows an example of a CAPWAP packet capture, where you can see: the Layer 2 header; the sniffed traffic encapsulated into Internet Protocol for transport; CAPWAP encapsulated into UDP for sniffer purpose and encapsulated into IP; CAPWAP control traffic on UDP port 5246; and CAPWAP payload.

Wireless traffic packet sniffer

The second recommended technique consists of sniffing the wireless traffic directly ‘on the air’ using your FortiAP.

Wireless traffic packet capture

Packet captures are useful for troubleshooting all wireless client related issues because you can verify data rate and 802.11 parameters, such as radio capabilities, and determine issues with wireless signal strength, interference, or congestion on the network.

A radio can only capture one frequency at a time; one of the radios is set to sniffer mode depending on the traffic or channel required. You must use two FortiAPs to capture both frequencies at the same time. l Set a radio on the FortiAP to monitor mode.

Packet sniffer

iwconfig wlan10

Result:

wlan10 IEEE 802.11na    ESSID:””

Mode:Monitor Frequency:5.18 GHz Access Point: Not-Associated l The capture file is stored under the temp directory as wl_sniff.pcap

/tmp/wl_sniff.cap

  • Remember that the capture file is only stored temporarily. If you want to save it, upload it to a TFTP server before rebooting or changing the radio settings. l The command cp wl_sniff.cap newname.pcap allows you to rename the file.
  • Rather than TFTP the file, you can also log in to the AP and retrive the file via the web interface. Move the file

using the command: mv name /usr/www

You can verify the file was moved using the command cd/usr/www and then browsing to: <fortiAP_

IP>/filename

Syntax

The following syntax demonstrates how to set the radio to sniffer mode (configurable from the CLI only). Sniffer mode provides options to filter for specific traffic to capture. Notice that you can determine the buffer size, which channel to sniff, the AP’s MAC address, and select if you want to sniff the beacons, probes, controls, and data channels.

configure wireless-controller wtp-profile edit <profile_name> configure <radio> set mode sniffer set ap-sniffer-bufsize 32 set ap-sniffer-chan 1 set ap-sniffer-addr 00:00:00:00:00:00 set ap-sniffer-mgmt-beacon enable set ap-sniffer-mgmt-probe enable set ap-sniffer-mgmt-other enable set ap-sniffer-ctl enable set ap-sniffer-data enable

end

end

Once you’ve performed the previous CLI configuration, you’ll be able to see the packet sniffer mode selected in the GUI dashboard under WiFi & Switch Controller > FortiAP Profiles and WiFi & Switch Controller > Managed FortiAPs. Bear in mind that if you change the mode from the GUI, you’ll have to return to the CLI to re-enable the Sniffer mode.

To disable the sniffer profile in the CLI, use the following commands:

config wireless-controller wtp-profile edit <profile_name> config <radio> set ap-sniffer-mgmt-beacon disable set ap-sniffer-mgmt-probe disable set ap-sniffer-mgmt-other disable set ap-sniffer-ctl disable set ap-sniffer-data disable end

Useful debugging commands

end

Example AP packet capture

The following image shows an example of the AP packet capture. Note the capture header showing channel 36; the beacon frame; the source, destination, and BSSID of the beacon frame; and the SSID of the beacon frame.

This entry was posted in Administration Guides, FortiAP, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.