In this post, we will explore how to configure a Cisco 9115 Access Point to capture wireless traffic. Performing captures can be challenging for Windows users, as most built-in network cards do not support monitor mode for sniffing. In many cases, an external card and a protocol analyzer like Wireshark are required.

For this exercise, we will use a pair of Cisco 9115 Access Points. One of them will be used to monitor wireless frames, and the other will provide service to our client.

The Access Points and the computer with Wireshark are in the same network segment. The computer is connected via a switch port in access mode to the same VLAN as the APs.

The first task is to configure the role of our Access Point in sniffer mode. To do this, follow these steps:

1. Navigate to Configuration –> Access Points –> All Access Points.
2. Select the desired AP.

Once you click on the AP, the following window will open. Choose the operating mode as «Sniffer.»

Next, go to the 5 GHz section, where you can configure the channel to monitor, its bandwidth, and the IP address of your sniffer (the computer with Wireshark). It is essential to enable the «Enable Sniffing» option. In this example, we will use channel 36.

The next step is to open Wireshark on your PC and start receiving wireless traffic. In this case, I have selected my Ethernet dongle as the monitoring interface.

As observed on the screen, we only see UDP 555 traffic. To begin viewing wireless traffic, we need to decode this traffic. Follow these steps:

1. Click on a UDP 5555 packet.
2. Right-click.
3. Select «Decode As.»
4. In the «Current» column, select «PEEKREMOTE.»

With this change, we will start seeing our 802.11 packets in our capture.