BRKEWN-3000

Analyzing and fixing Wi-Fi issues 

Cisco WLC tools and packet capture 

analysis techniques 

Jerome Henry, Technical Leader 

BRKEWN-3000

Agenda 

• Introduction: 

• WLC / AP Toolkit (wireshark, packet dump, sniffer mode) 

• Where to Capture, What to Capture (strategies for capturing from the cell) 

• Working with Wireshark (short Wireshark survival basics) 

• Statistical Analysis In Excel (Use Excell to detect behavioral patterns and 

spot issues visually) 

• Conclusion 

Demo files are at:

Troubleshooting Methods

Troubleshooting Methods 

A troubleshooting method is a guiding principle that determines how you 

move through the phases of the troubleshooting process. 

BRKEWN-3000 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

The “Shoot from the Hip” Method 

Quickly formulating a first hypothesis based on common problem causes 

and corresponding solutions can be very effective in the short run 


Divide and Conquer 

This method starts in the middle of the OSI model and moves up or down 

depending on results. 


Top Down Troubleshooting 

This method follows the layers of the OSI model starting from the Application 

Layer and moving down to the Physical Layer. 


Bottom Up Troubleshooting 

This method follows the layers of the OSI model starting from the Physical 

Layer and moving up to the Application Layer. 


Follow the Path 

Tracing the path of packets through the network eliminates irrelevant links 

and devices from the troubleshooting process. 


Where Are We Focusing? 

• This session focuses on the wireless 

space 

WLC, switch, 

rest of the universe 

• You may have gotten there through any 

troubleshooting method. 

AP 


WLC / AP Toolkit

Capturing Traffic – CA Wireshark 

To Analyze what is Wrong in the Air, your First Step is to See the Air 

• On Converged Access Switches, you can Wireshark directly from the switch 

• A Wireshark capture is called a “capture point” (what packets to capture, where to 

capture them from, what to do with the captured packets, and when to stop). 

• Capture points may be modified after creation and do not become active until explicitly 

turned on via a separate ‘start’ command. 

• A Capture point uses an attachment point (a point in the logical packet process path 

with which a capture point is associated): 

Interface type 

L2 port (physical port) 

L3 port (routed/physical port) 

VLAN 

L2 / L3 Etherchannel, Tunnels (GRE an others) 

SVI 

CAPWAP tunnel 

Wireless Client 

Wireless SSID 

Capture Supported 

Yes 

Yes 

Yes 

No 

Yes 

Yes 

Yes (via CAPWAP tunnel) 

Yes (via CAPWAP tunnel) 


Wireshark on CA Logic 

1. To use Wireshark, you have to define: 

• The attachment point (where you want to capture from) 

• Optionally, a capture filter (what should be captured from that attachment point, called 

“core filter”) 

• When capturing wireless traffic from an AP, do not use core filter 

• You can use core filter to capture traffic from a specific client 

• A destination (where do you send the captured packets) 

2. You then start/stop the capture, only one capture at a time 

• You can add destinations there too 

• You can also use display filters if you send to the console 

3. Most of the time, you then use the capture in a PC Wireshark 

• You can then use display filter there as well 


Wireshark Configuration Command Structure 

3850-B#monitor capture ? 

WORD Name of the Capture 

3850-B#monitor capture mycap2 ? 

access-list access-list to be attached 

buffer 

Buffer options 

class-map class name to attached 

clear 

Clear Buffer 

control-plane Control Plane 

export 

Export Buffer 

file 

Associated file attributes 

interface Interface 

limit 

Limit Packets Captured 

match 

Describe filters inline 

start 

Enable Capture 

stop 

Disable Capture 

vlan 

Vlan 

Attachment point 

Pick one or more 

Core filter Pick one only 

Destination Pick one only 

(but start can add another one) 


Wireshark on CA – Example Wireless Capture 

Let’s try to Capture all Traffic From One AP 

3850-T#monitor capture mycap1 interface capwap 0 ? 

both Inbound and outbound packets 

in Inbound packets 

out Outbound packets 

3850-T#monitor capture mycap1 interface capwap 0 in 

3850-T#monitor capture mycap1 file location flash:mycap.pcap 

3850-T#monitor capture mycap1 file buffer-size 1 

3850-T#monitor capture mycap1 start 

3850-T# 

*Nov 13 07:05:02.000: %BUFCAP-6-ENABLE: Capture Point mycap1 enabled. 

I just want to see what is received 

In MB, nice to have to limit flash overload 



Let’s try to Capture all Traffic From One AP 

3850-T#show monitor capture mycap1 parameter 

monitor capture mycap1 interface capwap 0 in 

monitor capture mycap1 file location flash:mycap.pcap buffer-size 1 

3850-T#dir flash: 

Directory of flash:/ 

…/… 

30979-rw- 32854 Jun 13 2016 07:10:24 +00:00 mycap.pcap 

3850-T#dir flash: 

Directory of flash:/ Growing = good! 

…/… 

30979-rw- 52707 Jun 13 2016 07:12:51 +00:00 mycap.pcap 

3850-T#monitor capture mycap1 stop 

3850-T# 

*Apr 13 07:14:16.100: %BUFCAP-6-DISABLE: Capture Point mycap1 disabled. 



You can check the file from the Console, but export is usually better 

3850-T#show monitor capture file flash:/mycap.pcap ? 

brief 

brief display 

detailed detailed disaply 

display-filter Display filter 

dump 

for dump 

Full hex dump 

| Output modifiers 

 

Just tell me what packets you saw 

3850-T#show monitor capture file flash:/mycap.pcap brief 

1 0.000000 00:00:00:00:00:00 -> 64:d9:89:46:ba:80 IEEE 802.11 Probe Request, SN=0, 

FN=0, Flags=........ 

2 5.053998 10.10.21.221 -> 10.10.21.2 DTLSv1.0 Application Data 



5 6.287995 00.00.26 -> 03.1a.f8 FC [Malformed Packet] 


FN=0, Flags=........ 



You can check the file from the Console, but export is usually better 

3850-T#show monitor capture file flash:/mycap.pcap detailed 

Frame 1: 122 bytes on wire (976 bits), 122 bytes captured (976 bits) Packets in detail 

Arrival Time: Jun 13 2016 07:05:04.053982000 UTC 

Epoch Time: 1415862304.053982000 seconds 

[Time delta from previous captured frame: 0.000000000 seconds] 

[Time delta from previous displayed frame: 0.000000000 seconds] 

[Time since reference or first frame: 0.000000000 seconds] 

Frame Number: 1 

Frame Length: 122 bytes (976 bits) 

Capture Length: 122 bytes (976 bits) 

[Frame is marked: False] 

[Frame is ignored: False] 

[Protocols in frame: eth:ip:udp:capwap:wlan] 

Ethernet II, Src: 44:d3:ca:42:59:61 (44:d3:ca:42:59:61), Dst: 68:bc:0c:5b:f4:68 

(68:bc:0c:5b:f4:68) 

Destination: 68:bc:0c:5b:f4:68 (68:bc:0c:5b:f4:68) 

Address: 68:bc:0c:5b:f4:68 (68:bc:0c:5b:f4:68) 

…/… 



When using the Console, Be Smart 

3850-T#show monitor capture file flash:/mycap.pcap detailed | section Frame 17 

Frame 17: 122 bytes on wire (976 bits), 122 bytes captured (976 bits) 

Arrival Time: Jun 13 2016 07:05:48.552965000 UTC 

Epoch Time: 1415862348.552965000 seconds 

[Time delta from previous captured frame: 1.556023000 seconds] 

[Time delta from previous displayed frame: 1.556023000 seconds] 

[Time since reference or first frame: 44.498983000 seconds] 

Frame Number: 17 

Frame Length: 122 bytes (976 bits) 

…/… 

3850-T#show monitor capture file flash:/mycap.pcap detailed | count Probe 

Number of lines which match regexp = 208 

3850-T#show monitor capture file flash:/mycap.pcap brief | exclude DTLS 


FN=0, Flags=........ 


FN=0, Flags=........ 



Using a PC is easier to decipher the capture 

3850-T#copy flash:mycap.pcap ? 

ftp: 

Copy to ftp: file system 

http: 

Copy to http: file system 

https: 

Copy to https: file system 

tftp: 

Copy to tftp: file system 

usbflash0: Copy to usbflash0: file system 

3850-T#copy flash:mycap.pcap usbflash0:mycap.pcap 

Destination filename [mycap.pcap]? 

Copy in progress...CC 

68174 bytes copied in 0.240 secs (284058 bytes/sec).... 



Using a PC is easier to decipher the capture 


Wireshark on CA – Targeting a Client 

What if you Want Traffic Only from one Client? 

• Capture client VLAN, and filter the client MAC or IP 

3850-T(config)#mac access-list extended myclient 

3850-T(config-ext-macl)#permit host 44d3.ca42.5961 any 

3850-T(config-ext-macl)#end 

3850-T#monitor capture mycap1 access-list myclient 

AP is in VL 21 

10.10.21.202 

10.10.23.21 

Client MAC is 44:d3:ca:42:59:61 


Packet Capture on AireOS 

You can Also Packet Dump on AireOS 

(Cisco Controller) >config ap packet-dump ? 

buffer-size 

capture-time 

classifier 

ftp 

start 

stop 

truncate 

Set Buffer Size for Packet Capture 

Set Time for Packet Capture 

Set Classifiers for Packet capture 

Set FTP parameters for Packet Capture 

Start Packet Capture at AP 

Stop Packet Capture 

Set Packet Length after Truncating 

• Oh BTW, this command is also available on IOS-XE… 

3850-T#ap name AP44d3.ca42.5961 packet-dump ? 

start Start packet capture at AP 

stop Stop packet capture at AP 

3850-T#ap name AP44d3.ca42.5961 packet-dump start ? 

H.H.H Set client MAC address for packet capture 


Packet Dump vs Wireshark Capture 

• Wireshark is a Sniffer mode 

• Captures everything about an AP or a client 

• Packet Dump is a targeted troubleshooting tool 

• You have to choose what type of traffic is faulty and needs capturing 

• Very useful if you want to focus on one specific type of issues 

• Less useful if you want a global view of the Air 


Packet Dump Notes and Gotchas 

• The AP still services clients normally (0 impact), but also dumps targeted traffic 

to a FTP server 

• Target can be ONLY ONE client at a time 

• Packets are captured and dumped in the order of arrival or transmit of packets 

except for beacons and probe responses. 

• If FTP transfer time is slower than the packet rate, some of the packets do not appear in the 

capture file. 

• If the buffer does not contain any packets, a known dummy packet is dumped to keep the 

connection alive. 

• A file is created on the FTP server for each AP based on unique AP and controller name and 

timestamp. Ensure that the FTP server is reachable by the AP. 

• If the FTP transfer fails or FTP connection is lost during packet capture, the AP stops 

capturing packets, notifies with an error message and SNMP trap, and a new FTP connection 

is established. 


Using Packet Dump 

• Before starting the dump, you need to define dump parameters: 

(Cisco Controller) >config ap packet-dump ftp serverip 172.29.129.56 path / username 

cisco password cisco 

(Cisco Controller) >config ap packet-dump classifier ? 

arp 

broadcast 

control 

data 

dot1x 

iapp 

ip 

management 

multicast 

tcp 

udp 

Capture ARP Packets 

Capture Broadcast Packets 

Capture 802.11 Control Packets 

Capture 802.11 Data Packets 

Capture Dot1x Packets 

Capture IAPP Packets 

Capture IP Packets 

Capture 802.11 Management Packets 

Capture Multicast Packets 

Capture TCP packets 

Capture UDP packets 



• Before starting the dump, you need to define dump parameters: 

(Cisco Controller) >config ap packet-dump classifier management enable 

(Cisco Controller) >config ap packet-dump classifier broadcast enable 

(Cisco Controller) >config ap packet-dump buffer-size ? 

Size of Buffer (1024 - 4096) 

(Cisco Controller) >config ap packet-dump buffer-size 1024 

(Cisco Controller) >config ap packet-dump capture-time ? 

Time in for Packet Capture (1 - 60 Minutes) 

(Cisco Controller) >config ap packet-dump capture-time 3 

(Cisco Controller) >config ap packet-dump truncate ? 

Length of Packet after Truncation (20 - 1500) 

Useful to avoid clogging 

(but optional) 

To capture only headers 



• Check where you are, and get ready to start: 

(Cisco Controller) >show ap packet-dump status 

Packet Capture Status............................ Stopped 

FTP Server IP Address............................ 172.29.129.56 

FTP Server Path.................................. / 

FTP Server Username.............................. cisco 

FTP Server Password.............................. ******** 

Buffer Size for Capture.......................... 1024 KB 

Packet Capture Time.............................. 3 Minutes 

Packet Truncate Length........................... Unspecified 

Packet Capture Classifier........................ 802.11 Management 

Packet Capture Classifier........................ Broadcast 



• Start the capture 

(Cisco Controller) >config ap packet-dump start ? 

Set Client Mac Address for Packet Capture 

(Cisco Controller) >config ap packet-dump start 78:7e:61:76:00:d3 ? 

Enter the name of the Cisco AP. 

(Cisco Controller) >config ap packet-dump start 78:7e:61:76:00:d3 APa80c.0dd2.218c 

Client Mac Address............................... 78:7e:61:76:00:d3 

FTP Server IP.................................... 172.29.129.56 

FTP Server Path.................................. / 

FTP Server Username.............................. cisco 

Buffer Size for Capture.......................... 1024 KB 

Packet Capture Time.............................. 3 Minutes 

Packet Truncate Length........................... Unspecified 

Packet Capture Classifier........................ 802.11 Management 

Packet Capture Classifier........................ 802.11 Broadcast 

Are you sure you want to start capture ? (y/N) y 



• You can also follow the capture from the WLC CLI: 

(Cisco Controller) >debug ap packet-dump enable 

Configures debug of AP Packet capture 

spamReceiveTask: Jan 01 16:01:51.606: Packet Capture - Intra Roam from AP 

a8:0c:0d:db:ce:f0 to Ap a8:0c:0d:db:ce:f0 numSlots 2 

*spamReceiveTask: Jan 01 16:01:51.606: Found prev_radId as 5 

*spamReceiveTask: Jan 01 16:01:51.606: Packet Dump, Roam to same AP 

*osapiBsnTimer: Jan 01 16:02:01.874: Encode AP Packet Dump payload in a buffer 

*osapiBsnTimer: Jan 01 16:02:01.875: Capwap message to AP a8:0c:0d:db:ce:f0 for Packet 

capture 

*osapiBsnTimer: Jan 01 16:02:01.875: Encode AP Packet Dump payload in a buffer 

*osapiBsnTimer: Jan 01 16:02:01.875: Capwap message to AP a8:0c:0d:db:ce:f0 for Packet 

capture 



• The captures are then pcap files in your FTP server: 


Client Troubleshooting – WLC Dashboard 

PING TEST 

CONNECTION 

TEST 

PACKET CAPTURE 

EVENT LOG 

BRKEWN-3000 

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

Client Troubleshooting – Packet Capture 

• 802.11 packet capture tool for 

administrators and TAC 

AP NAME 

the packet types you wish to capture. 

• Previously only available in the CLI 

• Enabled per client (1 session max) 

FTP SERVER 

• Capture times 1 – 60 minutes (default 10 

where the .pcap files are uploaded. 

minutes) 

• 802.11 and Protocol based capture filters 

• Packet captures are streamed to a FTP 

CAPTURE CONTROLS 

server in .pcap format for offline 

Stats and stops the packet capture. 

analysis 

• Capture files are automatically named 

using - 

_ 

CAPTURE DURATION 

CAPTURE FILTERS 

The amount of time in minutes (1-60) the packet 

The name of the AP the client is currently connected to. 

capture is to run. 10 Minute default. 

Can select one or more capture filters depending on 

The FTP server IP address, credentials and path 

CAPTURE STATUS 

The current state of the packet capture session. 


© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 

34

AP in Sniffer Mode 

• You can also set the AP to sniffer mode: 

• Capture specific channel 

• And send (live) this traffic to an IP address, where you run Omnipeek or Wireshark 


AP in Sniffer Mode Logic 

AP 

Sniffer Mode 

Channel 36 

AP 

Local Mode 

PC 

running WireShark or 

OmniPeek software 

Collected 

Data 

Collected 

Data 

Controller 

The remote analysis PC must be reachable 

via IP from the management interface of the 

controller. 


AP Sniffer Mode Configuration 

• Once the AP is in Sniffer Mode, set the channel to capture, and the destination 

address: 

3850-T#ap name AP44d3.ca42.5961 sniff dot11a 48 172.29.129.56 



Meanwhile, in your remote PC: 

Select the interface packets will be coming through 

(can be wired or wireless) 

Apply this capture filter to only get traffic from the AP 

(Source port is UDP 5555, dest port UDP 5000) 



Meanwhile, in your remote PC: 

Right click any packet 



You can now see the 802.11 part: 


Sniffer Mode vs Packet Dump vs CLI Wireshark 

Which one to Use 

• Use Packet dump to target a specific issue that you identified clearly 

• E.g. client does not get an IP 

• Do not use packet dump for “Wi-Fi does not work well” kind of issue 

• CLI Wireshark captures all traffic from the AP 

• Including CAPWAP traffic, on all radios 

• Nice to have a view “from the AP vantage point” 

• Both CLI Wireshark and Packet dump miss a critical element: the radiotap 

header 

• Sniffer mode has a form of radiotap information 


Radiotap Header 

All the RF side of you captured frame 


Where to Capture, What 

to Capture, if you Have a 

Choice

Where Should You Capture From Anyway? 

1. Sniffer AP: 

Pro: you can be remote! 

Cons: you may not hear client 3, and 

maybe not AP 4 very well… 

2. Packet dump/CA Wireshark: 

Pro: you can be remote! 

Cons: no radiotap, only partial view 

3. Next to client: 

Pro: you see what the client sees! 

Con: you may not see traffic from the 

other side of the cell 

4. Next to AP: 

Pro: you have a central view of the cell 

Con: you may not see the client RF 

environment details 

3 

2 

4 

AP 

Wireshark CLI 

Packet dump 

Sniffer AP 

AP 

Keep in mind that your wireshark laptop RF Rx 

are different from other clients’ 

1 


Capture Point and Receive Range 

STA 1 

Coverage Threshold for chosen rate 

• Above coverage threshold for chosen rate 

• Station can read frames 

• Duration field reduces collisions 

with stations in the same area 

STA 2 

• Outside coverage area for that rate 

• Above Interference Threshold 

• Can see frames, but can’t read them 

• Increased possibility of data 

corruption and collisions 

Sender 

2 

1 

Interference Threshold 


Receiving L2 vs Receiving L1 

• To help “out of range” stations, the frame also has a physical header, always 

sent at lowest speed (6 Mbps in 5 GHz, 1 Mbps or 6 Mbps in 2.4 GHz) 

PMD 

Header 

Bytes: 2 

PLCP 

Header 

2 

6 6 6 2 6 2 variable 4 

Frame 

Duration RA TA DA 

Seq. 

SA QoS 

Control Control 

PayloadFCS 

Bits: 

4 1 12 1 6 16 

Preamble Rate Reserved Length Parity Tail 

Service 


Beyond Receiving Range 

STA 3 

• Below Interference Threshold 

• Above PCS Threshold 

• Can detect energy, but can’t read 

frames (physical or MAC header) 

• Potential for collisions with closeby stations 

in the cell 

STA 4 

• Outside coverage area for that rate 

• Above Interference Threshold 

• Can see frames, but can’t read them 

• Increased possibility of data 

corruption and collisions 

Coverage Threshold for chosen rate 

3 

Sender 

1 

2 

4 

Physical Carrier Sensing Threshold 

Interference Threshold 


What to Verify 

• Connection: association / authentication 

• Communication: beyond L2 tests (e.g. DHCP, IP reachability, application 

reachability) 

• Throughput test (how much TCP / UDP bandwidth do you get upstream, 

downstream, to/from one station) 

• Load test (how many stations, max bandwidth with station overload) 

• Specific Application test 

• Roaming test 


Communication Test 

• Sometimes, a device reports “connected” but in fact fails to communicate: 

Authentication Request 

Authentication Response 

Association Request 

Association Response 

Client abc status: 

associated 

4-message Exchange 

FAILED 

• Test “past Layer 2” communication: DHCP or other upper Layer 


Individual Client Throughput Test 

• Test speed at various distance 

• Start with one typical client, target 

most demanding application 

• Use short distance to the AP 

as max speed reference 

• Check as you move away that: 

• Roaming path does not show 

unexpected losses 

• Cell edge offers the performances you anticipated 

• Roaming offers the performances you anticipated 

6 Mbps 

65 Mbps 


Cell Load Test 

• Once you have tested one client at a given position, test may clients at the same 

distance 

• Make sure to position clients in various directions 

• (without obstacles) 

• Check how performance degrades 

as you add clients 

• Degradation should be linear 

if clients and applications 

are the same 


Load Test – Impact of Different Clients 

• Suppose client 1 is 40 MHz, 2SS, max rate 270 Mbps 

• Max expected throughput may be around 45 % -> 122 Mbps 

• Suppose client 2 is 20 MHz, 1 SS, max rate 65 Mbps 

• Max expected throughput may be around 45% -> 30 Mbps 

• What is the impact of adding client 2 to client 1 cell? Too complicated to assess 

easily! 

• If each client uses half of the cell time, throughput falls from 122 Mbps with client 1 

alone to 61 Mbps (122 / 2) and 15 Mbps (30 / 2) respectively, total 76 Mbps 

• But any variation in individual client cell time will rock this number widely! 

• Try to use consistent clients and applications for the load test 

Client 1 

Client 2 


Roaming Test 

• Try to roam: start from one AP, make sure you have target application 

upstream/downstream traffic, move at steady pace to next AP 

• Allows you to check initial association, handover and RF conditions on roaming 

path 

AP 

AP 


Cell Shape and Roaming Path 

• Remember that cells are not circles 

• Test along the expected roaming paths 

• When testing individual cell 

performances, take the radiation pattern 

into account 

Cisco 3700i cell view in Ekahau 


Getting Comfortable with 

Wireshark

Wireshark Survival Guide 

Direct Capture 

• On Windows, deep interaction between 

application and card is usually impossible 

AirPcap Nx 

• You need a specific card (e.g. AirpCap Nx card) 

• On Linux, depends on the card chipset vendor 

• On most Macs, possible with the internal card 

• On Android, very limited solutions (need to root, 

hardware support limitations) 

• Let’s focus on Windows 



Direct Capture 



Frame Sections 

1 

3 

4 

2 

1. Frame details (size time arrival etc) 

2. Radiotap: radio characteristics of 

frame reception (RSSI, data rate etc.) 

3. 802.11 MAC details 

4. Upper Layers 



Sorting Frames – Coloring 

• “Colorize Conversation” 

only works for upper Layers 

(3 and up), implies Open 

WLAN 

• Not applicable for pure L2 

802.11 frames (RTS/CTS, 

ACKs etc.) 



Sorting Frames – Coloring 

• Use Coloring 

Rules to easily 

spot frames of 

interest (e.g. 

probes) 



Sorting Frames – Columns 

• Add / Hide 

columns to only 

show what 

matters 

• Typically: add 

RSSI, SNR, 

channel, 

DSCP/UP 

Right click any field of interest 



Sorting Frames – Move, Rename, Delete, Sort Columns 

Right click 



Filtering -Capture Filter vs Display Filter 

• Capture filter limits the amount of frames you collect 

• Pro: limits capture file size 

• Cons: limited filtering possibilities, you can’t account for frames you did not capture 

• Display filters limits the frames you see and work from 

• Pro: large filtering capabilities 

• Con: capture frames can be large 

• E.g. 5 minute capture in a busy hotspot… 

> 1 million frames in 5 minutes 



Filtering - Capture Filters 

• Some useful Capture filters: 

• Target MAC: host, wlan src, wlan dst 

• FC type: mgt, ctl, data 

• FC subtype: [assocreq, assocresp, reassocreq, reassocresp, probereq, probresp, beacon, atim, disassoc, 

auth, deauth], [ps-poll, rts, cts, ack, cf-end, cf-end-ack], [data, data-cf-ack, data-cf-poll, data-cf-ack-poll, 

null, cf-ack, cf-poll, cf-ack-poll, qos-data, qos-data-cf-ack, qos-data-cf-poll, qos-data-cf-ack-poll, qos, qoscf-poll, 

qos-cf-ack-poll] 

• Examples: 

• Capture only management frames 

• Capture everything except some control frames: 

• Probes to and from a target host: 

• Association requests/responses, reassociation requests/responses, disassociation and (de)authentication 

frames and all eapols: 



Filtering - Display Filters 

Fills the filter field and applies 

• Easiest way is to use a frame: 

Fills the filter field, does not apply (so you can edit) 

Right click any field 



Filtering - Display Filters 

• Create your own, or call back a previously used filter: 

For 802.11, you want to look at: 

• 802.11 Radiotap 

• 802.11 RSNA EAPOL (security exchanges) 

• CAPWAP (when on wire) 

• IEEE 802.11 (Aggregate, MGT) 

• WPS 

Wireshark will tell you if the filter is correct: 



Filtering - Capture Filters – some common values 

Capture type 

Only beacons 

No beacons 

Only traffic to/from aa:bb:cc:dd:ee:ff 

Only traffic from aa:bb:cc:dd:ee:ff 

(traffic to aa:bb:cc:dd:ee:ff) [anything except] 

IP host 1.2.3.4 (to/from 1.2.3.4) 

IP network 1.2.3.0/24 

Filter 

wlan[0] == 0x80 

wlan[0] != 0x80 

wlan host aa:bb:cc:dd:ee:ff 

src host aa:bb:cc:dd:ee:ff 

(dst host aa:bb:cc:dd:ee:ff) [not wlan host] 

host 1.2.3.4 (src / dst host 1.2.3.4) 

net 1.2.3.0/24 

Frame types: 

Association request (0x00), association response (0x01), reassociation request (0x02), reassociation response (0x03), 

Authentication (0x11), Disassociation (0x10), deauthentication (0x12) 

Probe request (0x04), probe response (0x05) 

RTS (0x27), CTS (0x28), ACK (0x29), NULL frame (0x36), QoS Null (0x44), action (0x13) 


Using Wireshark IO Graphs 

• You can use graphs to directly display stats in 

Wireshark 

• Example: you want to know how much 40 

MHz is in use 

• Color 40 MHz data rates! 

20 MHz rates 

• In this network, enabling 40 MHz is a waste, 

Clients do not use that width 

40 MHz rates 


Exporting Frames

What Frame to Select 

• You are capturing from the client side: 

• Beacons are a good reference (time, cell activity level, RSSI/SNR, cell 

parameters) 

• Retries for BER and rate shifting 

• Any data packet for specific application tshooting 

• Association / authentication phases 

• Probes 


What Frame to Select 

• You are capturing from the AP side: 

• Any client packet for signal levels (RSSI / SNR), and specific application 

tshooting 

• ACKs from AP for data rate (AP data rate vs client data rate) 

• Retries should be low 

• Authentication exchanges 

• Client probes 


Exporting Frames 


Statistical Analysis In 

Excel

Excel vs Wireshark 

• Large amount of frames are difficult to analyze 

• Statistical analysis allow you to see patterns 

• Wireshark has statistical graphical tool, but: 

• Limited to combination lines 

• Creating filtering can be tedious 

• By using Excel (or equivalent) you can: 

• Export selected frames of interest (pre-filtering) 

• Display multiple types of graphs 

• Create new columns to perform deeper analysis 


Example 1 – One Way Audio 

• Issue: one way audio on Iphone 6 at a distance from the AP 

• 7925 shows no issue 

• Capture was taken on a target AP, both devices moving away 

- 70 dBm 

AP 


Example 1 – Select and Export 7925 Data 


Example 1 –7925 Data Rate 

At what rate 

was the frame 

sent 

Nice Tx at 54 Mbps, ACK at 24. Sometimes Tx at 24 Mbps. 

Capture time (seconds) 


Example 1 – Same Operation on Iphone Data Rate 

At what rate 

was the frame 

sent 


Mmm rate goes up and down, strange that rate keeps going up as distance increases 


Example 1 – At The End of the Cell Coverage Area 

7925 tries 54 Mbps, then fails, reverts to slower rate, gets ACK, then tries again 54 Mbps… 

Can you guess what a problem is here? 

The 7925 also maintains a failed counter, eventually the phone gives up on the connection 

because of the retry count… good phone! 


Example 1 – At The End of the Cell Coverage Area 

Iphone is in the same cell… but never tries lower than 24 Mbps… even tries higher rates sometimes 

Issue: behavior is RSSI-based, no retry count 


Example 1 – What Did We Learn? 

• AP power is too high – mismatch between AP Rx and client RX 

• 7925 partially adapts its transmission to Retries, then roams away if retries are too high 

• Iphone 6 bases its roaming behavior on the RSSI, regardless of the retries 

• The Iphone 6 will ALWAYS have issues at the edge of that cell, if AP power 

level stays the same 

‣ Lower AP power, re-work neighboring cell overlaps 


Example 1 – Iphone Is Not The Only One 

• Bad design example: HTC One @ 12 dBm, AP @20 dBm 

Based on Rx AP signal, BYOD thinks 54 Mbps rate is okay… 

But client message is too weak, and AP does not ACK until rate falls to 12 mbps 

Each message takes 8 times more to be transmitted 

(including EIFS and retries) 


Example 2 – Use Probe as Happiness Index 

• BYODs tend to probe only when they get at the edge of a cell 

• They try to conserve battery by probing only when needed 

• They also probe when they are not associated 

• You can use the Probing behavior as an happiness index 

• If the associated BYOD probes, then it wants to leave your cell 

• You know that this is the cell edge from the BYOD perspective 

• Know your BYODs, know how they probe, you will know when they want to leave you 



• Samsung S6 when idle and not associated (baseline) 

Interval 

between 

probes 

Time 

131.3s cycle 

66.6s after 6th 



• Samsung S6 when idle and associated (baseline) 

Interval 

between 

probes 

Burst of 2, SSID unstable 

SSID count changes, or 

probe response not received 

Time 

285 s cycle can be seen 

App network activity interrupts the cycle 



• Now let’s walk back and forth 

AP good signal (no need to probe that much) 

Interval 

between 

probes 

Time 

AP poor signal (need to find a better AP!) 



• AP signal and probes 

Probe frequency decreases after AP signal gets better 

• To know where the capture was taken from, compare AP and client RSSI 

• Taken from nearby the AP 

Probe 

interval 

Time 

RSSI 

Artifact (body position?) 

More frequent probe as AP signal gets lower 


Example 3 –Iphone 6 Performances 

• Context is phone moving in a corridor, loss of audio at each AP roam for a few 

seconds 

• The local admin “confirmed that cell overlap 

seemed okay” (when at AP 1 cell edge, 

at – 67 dBm, the SSID from AP 2 can be 

heard at -67 dBm) 

• AP power is 3 for both bands (A domain) 

• SSID is allowed on both bands 

• Default data rates are set, an attempt 

to disable low rate did not solve the issue 

A 

1 

2 

B 

C 

3 


Example 3 – One Way Audio with Iphone 6 

• Context is phone moving in a corridor, loss of audio at each AP roam for a few 

seconds 

• The local admin “confirmed that cell overlap 

seemed okay” (when at AP 1 cell edge, 

at – 67 dBm, the SSID from AP 2 can be 

heard at -67 dBm) 

• AP power is 3 for both bands (A domain) 

• SSID is allowed on both bands 

• Default data rates are set, an attempt 

to disable low rate did not solve the issue 

A 

1 

2 

B 

C 

3 



• If the phone is “on call”, you should see a constant flow of packet 

• Capture was taken on ch 44 (AP 1) and ch 48 (AP 2) 

• Constant ping to the phone to add traffic on top of the call 

• Select frames sent by the phone, and export 



• In Excel, check frame interval on 5 GHz… 

• Uh oh… 

How long between 

1 frame and next frame 

This is normal 

Why is the phone completely dropping for long intervals? 

(complains is just a few seconds call drop) 




• As the SSID is present on both bands (but phone is supposed to prefer 5 GHz), 

let’s look at 2.4 GHz 

Episodes in 5 GHz or phone disconnected? 

Phone has episodes in 5 GHz, but spends most of the time in 2.4 GHz… why? 



• Let’s have a closer look at these packets on 5 GHz, especially the ones where 

RA=Iphone, and check the RSSI 


What is the RSSI 

of the frame 

• Did we hear that overlap was okay? 

• Maybe on 2.4 GHz, but certainly not on 5 GHz 

• Phone is on 5 GHz when AP RSSI is above -70 dBm 



• We know what happens… 

• Phone starts on 5 GHz, then “roams” to 2.4 GHz, then back to 5 GHz 

• Let’s try to understand why: 

• Iphone tries to roam when 

reaching the -70 dBm boundary 

• Tries to find next AP if signal 

is at least 8 dB better 

(http://support.apple.com/en-us/HT6463) 

• In A domain, power 3 is 11 dBm 

in 24 GHz and 9 dBm in 5 GHz 

• But 2.4 GHz antenna typically 

allows 7 dB more than 5 GHz 

• So... At 5 GHz boundary, 2.4 GHz is 

9 dB better than 5 GHz (+- 4 dB margin) 

5 GHz -70 dBm 

AP 

2.4 GHz -70 dBm 

5 GHz received at -70 dBm 

2.4 GHz received at -61 dBm 



• Solution: 

• Move APs where possible (all APs could not be moved) 

• Set SSID to 5 GHz only (if possible) 

• Enable 802.11k/v (on by default in AireOS 8.3) Retries 

1 

2 

3 

Some retries, but almost no episode below -70 dBm, no long audio drops 


802.11v: Send your BYOD to the Next (Better) Cell 

802.11k vs 802.11v BSS Transition Management 

What could 

my next AP be? 

Here are the 

best 6 for you 

Need to roam, what AP do 

you recommend? 

Try this one 

802.11v Solicited request 

Your RSSI / rates are too 

low, roam to there instead 

802.11k neighbor list 

Want to join your cell 

Nah, load too high, go there 

instead 

802.11v Unsolicited 

Optimized Roaming request 

802.11v Unsolicited request 


Adding Adaptive 802.11r to the Mix 

iOS 10 Iphone 6 S 

Interval between last packet on previous AP, 

and first packet on next AP 

QoS, 802.11r/k/v 

No QoS, No 802.11r/k/v 


Evaluating Fast Lane Performances: Upstream Frame Interval, Against 

Competing Traffic 

• We are sending voice traffic in a congested environment, one voice packet every 20 ms 

• We measure the actual interval between voice packets, upstream 

nterval (seconds) 

Packet average interval is 20 ms (good) 

Packet average interval is 40 ms (not so good) 

Very few silences, of up to 0.1 second 

(fair audio experience) 

Many silences, of up to 0.6 second 

(poor audio experience) 


FastLane QoS 

No QoS 


Rate Shifting Performance Evaluation 

Recovery time (rate shifting up) 

Downhill 

Even worse 


99

Example 4 – IOS 8 Random MAC address 

• Seeing duplicate MAC addresses in your network, and wondering how much of 

them come from IOS 8 devices? 

• Put a phone on a table and check its probes! 

Start by filtering probes only, then export. 

You can’t filter on MAC address, as it is going to change! 


Random MAC = Locally Administered Address 

• MAC address contains an OUI part 

and a host part 

• OUI B2 bit always 0 for real OUIs 

• B2 can be set to 1 to express “locally 

administered address” 

• When B2 is “1”, rest of OUI does not 

matter (does not reflect any specific 

OUI) 


Random MAC Behavior 

• Apple introduces random MAC address in IOS 8 “cautiously” 

• Random MAC Only works on iPad Air, iPad Mini Retina Display, iPhone 5S, iPhone 

5c, Iphone6, Iphone 6+ 

• Random MAC not used when “the network” can identify the device user 

• Because otherwise your fake MAC can easily be mapped to you anyway! 

• No random MAC when you are associated 

• No random MAC if you can be identified: data cellular is On, or Location Services are On 

Internet 

Jerome is here 

Jerome’s fitness data 



• Use the RSSI to filter signals coming from the target phone 

• Sort by RSSI, identify the real MAC, and take out everything that has too high or too low 

RSSI 

• Take a 5 dB margin, look at the capture if needed to assess the margin needs 

You can also do it in Wireshark directly! 

(wlan.fc.type_subtype==4) && ((radiotap.dbm_antsignal = -30) 



• You should see series of real MACs, then series of locally administered MACs 

• You can the analyze the pattern 

Probe 1 to 3 times (+20 ms burst each) with real MAC, 4.37 (x 1 to 3) interval between probes 

How many 

secs since 

last probe 

When using fake MAC, between 

2 and 6 probes, at 135/270 interval 

“first fake after real” is at 317 or 602 +-40s 

Time 

then 

When using real MAC, 

Always probe burst (20 ms interval) 


Real Time Signal: what are we trying to solve? 

Survey tool: 

This is how I see the AP signal: 

AP RSSI here = AA dBm 

AP SNR here = BB dB 

I have no idea on how the AP sees my client signal. 

Let’s guess and assume that it is the same as how I see the AP 



105

Real Time Signal: how does it work? 

1. telnet/ssh to AP, run radio debug 

-> record real time client upstream signal 

2. Filter to keep only data or interest 

(e.g. RSSI /SNR), store in logstash 

3. Display RSSI / SNR in real time through Kibana 

0. Associate your client (duh) 

4. Http to the kibana URL to see RSSI/SNR in near realtime 



106

Example – Now It Is Your Turn 

• Does the RSSI relate to retries in capture X taken from client vantage point? 

More retries at low RSSI (normal), but also abnormal zones… 

There is a transmitter on the other side of the cell you do not see 

Retried frames 

AP RSSI 

In Wireshark, count frames sent by client that are retries: 

In Excel, add 1 if previous line is the same (increases count with retries): 



• Follow the dialog between 2 stations 

• Filter in Wireshark source /dest 

• In Excel, one column for each source and matching packet size 

• Did you notice that I use “Scatter” graph often? 

• Using other types 

Columns 

Scatter edited marker 

Scatter with lines 

Time is missing 

I can see blue sends larger frames, red is responding 



• Captured from client? How to see “invisible traffic” from the other side of the 

cell? 

• Count the beacon intervals! 

TBTT 

delay 

Beacon 

Beacon 

Time 

(wlan.fc.type_subtype==8) && (frame[62:15] == 00:0d:43:69:73:63:6f:4c:69:76:65:32:30:31:34) 

SSID (in hex) filter 

Interferers here 



• Who sent what? When? How large was the packet? Who talks most? 

One column for each MAC, time and packet combined 

New columns that sum traffic from target “Source” values 


Conclusion 

• Any field in Wireshark can be a column. 

• Any column can be a graph in Excel… 

• But in the end, your understanding of 802.11 and RF will make the difference. 

Excel and Wireshark are just there to help you understand, then display as a 

graph what you understood. 

• Our industry is in needs of better tools to understand clients wi-fi experience, 

this could be one of them, and we could share ideas and experiments here: 


Demo files are at: 

https://www.dropbox.com/s/ajfc0pqvkf8c819/BRKEWN3000-videos.zip?dl=0 

• Other session of interest: BRKEWN-3011, 

• Reference material: CiscoPress, Wi-Fi Configuration, Deployment and 

Troubleshooting LiveLessons (http://www.ciscopress.com/store/wi-fi-configuration-deployment-andtroubleshooting-9781587205651) 


Call to Action 

• Visit the World of Solutions for 

• Cisco Campus – 

• Walk in Labs – 

• Technical Solution Clinics 

• Meet the Engineer (check with the MTE team for remaining meeting slots!) 

• Lunch and Learn Topics 

• DevNet zone related sessions 


Complete Your Online Session Evaluation 

• Give us your feedback to be 

entered into a Daily Survey 

Drawing. A daily winner 

will receive a $750 Amazon 

gift card. 

• Complete your session surveys 

though the Cisco Live mobile 

app or your computer on 

Cisco Live Connect. 

Don’t forget: Cisco Live sessions will be available 

for viewing on-demand after the event at 

CiscoLive.com/Online 


Continue Your Education 

• Demos in the Cisco campus 

• Walk-in Self-Paced Labs 

• Lunch & Learn 

• Meet the Engineer 1:1 meetings 

• Related sessions 


Thank you

Wireless Cisco Education Offerings 

Course Description Cisco Certification 

• Designing Cisco Wireless Enterprise Networks 

• Deploying Cisco Wireless Enterprise Networks 

• Troubleshooting Cisco Wireless Enterprise 

Networks 

• Securing Cisco Wireless Enterprise Networks 

Implementing Cisco Unified Wireless Network 

Essential 

Professional level instructor led trainings to prepare candidates to conduct 

site surveys, implement, configure and support APs and controllers in 

converged Enterprise networks. Focused on 802.11 and related 

technologies to design, deploy, troubleshoot as well as secure Wireless 

infrastructure. Course also provide details around Cisco mobility services 

Engine, Prime Infrastructure and wireless security. 

Prepares candidates to design, install, configure, monitor and conduct 

basic troubleshooting tasks of a Cisco WLAN in Enterprise installations. 

CCNP ® Wireless Version 3.0 

(Available March 22 nd , 2016) 

CCNA ® Wireless 

(Available Now) 

Deploying Basic Cisco Wireless LANs (WDBWL) 

Deploying Advanced Cisco Wireless LANs 

(WDAWL) 

Deploying Cisco Connected Mobile Experiences 

(WCMX) 

Understanding of the Cisco Unified Wireless Networking for enterprise 

deployment scenarios. In this course, you will learn the basics of how to 

install, configure, operate, and maintain a wireless network, both as an 

add-on to an existing wireless LAN (WLAN) and as a new Cisco Unified 

Wireless Networking solution. 

The WDAWL advanced course is designed with the goal of providing 

learners with the knowledge and skills to successfully plan, install, 

configure, troubleshoot, monitor, and maintain advanced Cisco wireless 

LAN solutions such as QoS, “salt and pepper” mobility, high density 

deployments, and outdoor mesh deployments in an enterprise customer 

environment. 

WCMX will prepare professionals to use the Cisco Unified Wireless 

Network to configure, administer, manage, troubleshoot, and optimize 

utilization of mobile content while gaining meaningful client analytics. 

1.2 

1.2 

2.0 

For more details, please visit: http://learningnetwork.cisco.com 

Questions? Visit the Learning@Cisco Booth or contact ask-edu-pm-dcv@cisco.com

BRKEWN-3000

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?