User's Manual

Table Of Contents

Network trace configuration 99

When the remote trace mode is in use, the M220 does not store any captured data locally in

its file system.

Setting up Wireshark sessions

You can trace up to five interfaces on the M220 at the same time. However, you must start a

separate Wireshark session for each interface. You can configure the IP port number used for

connecting Wireshark to the M220. The default port number is 2002. The system uses five

consecutive port numbers starting with the configured port for the packet trace sessions.

If a firewall is installed between the Wireshark PC and the M220, these ports must be allowed

to pass through the firewall. The firewall must also be configured to allow the Wireshark PC to

initiate TCP connection to the M220.

To configure Wireshark to use the M220 as the source for captured packets, you must specify

the remote interface in the Capture Options menu. For example, to trace packets on an M220

with IP address 192.168.1.10 on radio 1 using the default IP port, specify the following

interface:

rpcap://192.168.1.10/radio1

To trace packets on the Ethernet interface of the M220 and on the default wireless community

(wlan0) using IP port 58000, start two Wireshark sessions and specify the following interfaces:

rpcap://192.168.1.10:58000/eth0

rpcap://192.168.1.10:58000/wlan0

When you are capturing traffic on the radio interface, you can disable beacon trace, but other

802.11 control frames are still sent to Wireshark. You can set up a display filter to show only the

following:

• Data frames in the trace

• Traffic on specific BSSIDs

• Traffic between two clients

Some examples of useful display filters are the following:

• Exclude beacons and ACK/RTS/CTS frames:

!(wlan.fc.type_subtype == 8 || wlan.fc.type == 1)

• Data frames only:

wlan.fc.type == 2

• Traffic on a specific BSSID:

wlan.bssid == 00:02:bc:00:17:d0

• All traffic to and from a specific client:

wlan.addr == 00:00:e8:4e:5f:8e