Remotely monitoring traffic, How remote traffic monitoring works, Using snoop filters on radios that use active scan – 3Com WX4400 3CRWX440095A User Manual

Page 638: All snooped traffic is sent in the clear

background image

638

C

HAPTER

A: T

ROUBLESHOOTING

A

WX S

WITCH

Remotely
Monitoring Traffic

Remote traffic monitoring enables you to snoop wireless traffic, by using
a MAP as a sniffing device. The MAP copies the sniffed 802.11 packets
and sends the copies to an observer, which is typically a protocol analyzer
such as Ethereal or Tethereal.

How Remote Traffic

Monitoring Works

To monitor wireless traffic, a MAP radio compares traffic sent or received
on the radio to snoop filters applied to the radio by the network
administrator. When an 802.11 packet matches all conditions in a filter,
the MAP encapsulates the packet in a Tazmen Sniffer Protocol (TZSP)
packet and sends the packet to the observer host IP addresses specified
by the filter. TZSP uses UDP port 37008 for its transport. (TZSP was
created by Chris Waters of Network Chemistry.)

You can map up to eight snoop filters to a radio. A filter does not become
active until you enable it. Filters and their mappings are persistent and
remain in the configuration following a restart. The filter state is also
persistent across restarts. Once a filter is enabled, if the switch or the
MAP is subsequently restarted, the filter remains enabled after the restart.
To stop using the filter, you must manually disable it.

Using Snoop Filters on Radios That Use Active Scan

When active scan is enabled in a radio profile, the radios that use the
profile actively scan other channels in addition to the data channel that is
currently in use. Active scan operates on enabled radios and disabled
radios. In fact, using a disabled radio as a dedicated scanner provides
better rogue detection because the radio can spend more time scanning
on each channel.

When a radio is scanning other channels, snoop filters that are active on
the radio also snoop traffic on the other channels. To prevent monitoring
of data from other channels, use the channel option when you configure
the filter, to specify the channel on which you want to scan.

All Snooped Traffic Is Sent in the Clear

Traffic that matches a snoop filter is copied after it is decrypted. The
decrypted (clear) version is sent to the observer.