Help
FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
lpetit_FTNT
Staff
Staff

Created on ‎06-18-2012 07:11 AM

Article Id 193182

Technical Note : FortiAP Wireless Sniffer

Purpose
This article describes how to sniff wireless traffic using the FortiAP's radio and provides some same configurations.

Scope

Wireless sniffer on the FortiAP was introduced in 5.0


Expectations, Requirements

From FortiOS 5.0, wireless traffic can be sniffed using radios of the FortiAPs.

Only one radio is allowed to capture traffic.

If one radio is set to sniffer mode, the second radio will not have the ability to be configured as sniffer at the same time.

The radio configured in sniffer mode will capture traffic of its band.

For example, on a FAP220B if Radio1 is set to sniffer mode, 2.4GHz band traffic will be captured. If Radio2 is set to sniffer mode, 5GHz band traffic will be captured.

 

The sniffer trace is stored under tmp directory as wl_sniff.pcap.

This file will have to be downloaded using a TFTP server before changing the radio mode or rebooting the FortiAP.


Configuration

Setting the radio to sniffer mode is configurable from CLI only. The GUI will reflect this change in the change in “Managed FortiAP” tab; the radio will be set to mode “Packet Sniffer”

 

 config wireless-controller wtp-profile

 edit sniffer

config radio-2

mode                : sniffer

ap-sniffer-bufsize  : 32

ap-sniffer-chan     : 1

ap-sniffer-addr     : 00:00:00:00:00:00

ap-sniffer-mgmt-beacon: enable

ap-sniffer-mgmt-probe: enable

ap-sniffer-mgmt-other: enable

ap-sniffer-ctl      : enable

ap-sniffer-data     : enable

                        end

            end
 
 
 

Before the configuration change to sniffer mode:

 lpetit_1.JPG
 
After having set the radio to sniffer mode:
 lpetit_2.JPG
 
The FortiAP will change to mode “Monitor”:
 lpetit_3.JPG
 
 
 
Full FGT configuration:
 lpetit_4.JPG
 

Verification

Filters:

 

ap-sniffer-add can be used to filter the traffic of a single client.

Ap-sniffer-chan can be used to filter the traffic on a given channel

 

Downloading the sniffer trace from the ForitAP:

 

FAP # cd /tmp

FAP # ls

wl_sniff.cap

 

FAP # tftp

BusyBox v1.15.0 (2012-05-24 17:25:46 PDT) multi-call binary

 

Usage: tftp [OPTIONS] HOST [PORT]

 

Transfer a file from/to tftp server

Options:

        -l FILE Local FILE

        -r FILE Remote FILE

        -g      Get file

        -p      Put file

 

FAP # tftp -l wl_sniff.cap -p 10.10.10.6 69

 

The file is now available on the TFTP server.


Labels:
3742
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.