Capturing Packets From A Wireless Device
Since the number of wireless devices has only been increasing, I get a lot of questions asking how to capture packets from a wireless device. Not to sound like a consultant, but unfortunately, there are many answers to this question depending on the equipment and your network architecture.
The easy answer is if you have an access point that supports packet capture, you can do it from there. Just be careful since I have run into some issues performing packet captures from network equipment (routers, switches, access points), like device CPU’s max out, no filtering, missing packets, and skewed timings to mention a few. Then there is the issue you run into if you have multiple access points that the device can connect to. This can obviously happen if the wireless client in physically moving around, but I have also seen this happen with stationary clients that have marginal signals or a lot of interference.
The next spot capture point would be from the switch that the access point is connected to. Now we have options to cover.
The first option would be to capture from the switch if the switch supports it.
Next option would be to use port mirroring, or span, if your switch supports it. Be careful, since some switches have a limit to the number of ports you can mirror or the number of mirror sessions.
All the points I mentioned previously with respect to capturing from the wireless access point also apply to switches.
At this point, I would consider a TAP between the switch and access point or depending on your network architecture, the trunk port between that switch and the next one. There is a lot to cover about taps, and I won’t be covering that in this article. Make sure you have a portable tap in your bag and a chassis mount tap for permanent use.
I can't stress enough to the network designers/architects and installers to build into your network ‘test points’ and equipment, so troubleshooting doesn’t become a disruptive or lengthy process. If you do it right, your test points can be used for monitoring, so your equipment is always in use.
In this video, I walk you through this exercise using my Network Critical SmartNA XL TAP/packet broker. https://www.networkcritical.com/smartna
Note; I figured put where those stray packets came from after my filter was applied. It from my capture device/laptop.