While writing the previous article I recalled all the problems I had trying to decode the Motorola (formerly Symbol) WISP, WISPe, CAPWAP protcool used between the Wireless LAN Switch and their Access Ports.
As of WireShark version 0.99.7 there is decode support for the Lightweight Access Point Protocol (LWAPP) protocol used by Airspace (Cisco) and a few other wireless vendors.
The legacy Motorola Wireless LAN WS5000, WS5100 switches (version 1.x and 2.x) utilize the WIreless Switch Protocol (WISP) while the Motorola Wireless LAN WS5100, RFS7000 (version 3.x and 1.x respectively) utilize the WIreless Switch Protocol Enhanced (WISPe). The WISPe protocol from Motorola very closely mimics the Control and Provisioning of Wireless Access Points (CAPWAP) that is currently being developed by the IETF.
Now that I’ve got that history lesson out of the way. Have you every needed to decode the protocol running between the Wireless Switch and the Access Ports?
As you know by now I have a large number of Motorola Wireless LAN switches and Access Ports deployed throughout my organization. Unfortunatley the latest version of WireShark does not support the decoding of WISP, WISPe, or CAPWAP.
Thankfully Ethereal v0.10.14 has decoders for the WISP and CAPWAP protocols. I will say this warning though. I have downloaded multiple copies of Ethereal v0.10.14 and some seem to support WISP and CAPWAP while others don’t appear to support it. If I find a link for a working version I’ll update this article.
Here’s an example of the WISP protocol between a Motorola Wireless LAN Switch (WS5000 v2.x) and an Access Port 300 (AP300). (click on the image to enlarge it)
In the above trace you can see that the AP300 has just been reset and is in the process of booting. It starts by issuing EAPOL and LLDP packets before sending it’s first WISP “Hello”. You can see that the WS5000 responds to the “Hello” with a “Parent” command after which the Ap300 starts to download its runtime software with the “LoadMe” command.
Here’s an example of the CAPWAP protocol between a Motorola Wireless LAN Switch (WS5100 v3.x) and an Access Port 300 (AP300). (click on the image to enlarge it)
Note: this trace was not performed at the port level so we don’t see the EAPOL or LLDP traffic. We can see the AP300 making “Discovery”, “Join” and “Cfg” requests of the WS5100 switch.
Cheers!
UPDATE: March 29, 2008
Here’s a link for Ethereal v0.10.14 that I believe should decode both WISP and CAPWAP;
http://www.michaelfmcnamara.com/files/wisp-ethereal-setup-0.10.14.exe
Hello Michael.
Your comments a very interesting.
What kind of linux did you use
to install ethereal v 0.10.14 ?
Thanks a lot !
I was running Ethereal v0.10.14 on a Windows XP laptop.
Whenever I’m using Linux I just use tcpdump to capture the data and then look at it later with WireShark or Ethereal on a Windows XP laptop.
Cheers!
Hi Michael,
Did you finally find a link to an ethereal version that can decode WISP.
I’m really interrested in decoding WISP/WISPe , so if you know a tool that can do that, let me know.
Thanks.
Here’s the link for a version of Ethereal v0.10.14;
http://www.michaelfmcnamara.com/files/wisp-ethereal-setup-0.10.14.exe
that I believe should decode the WISP, WISPe and CAPWAP protocols.
As I’ve said before I’m not sure why some of the other distributions don’t work. I had hoped by now that WireShark would support CAPWAP and WISP. I may have to roll up my sleeves and install Microsoft Visual C++.
I just installed Ethereal using the link above and it lists both CAPWAP and WISP under Help -> Support Protocols.
Cheers!
Thank you very much Michael !
It seems to work fine !
After i’ve read your post, i downloaded official version of ethereal 0.10.14 but it doesn’t decode WISP/CAPWAP. And unfortunatly i didn’t find the “good” one.
Thanks a lot, again.
Hi Michael,
I am implementing CAPWAP AC and WTP on Linux platform. Refer to your capture image, I am a littile confused about your captured environment. Could you please tell me the detailed topology for CAPWAP packet capturing?
Thanks for your help.
Hi Neil,
I’m not exactly sure what your asking… if you are asking how I performed the actual packet capture I mirrored a port on my Nortel Ethernet Routing Switch 5520 where I had a Motorola Access Port 300 connected. I was capturing the packet stream between the AP300 and the network focusing on the data stream between the Motorola WS5100 and the Access Port.
Cheers!
Hi Michael,
Thanks for you kind reply.
I can decode CAPWAP on my Linux machine now, I found that I have to patch CAPWAP protocol for Wireshark tool. On the Windows side, I still can not see the CAPWAP protocol with the ethereal you provide on your web site. Anyway, thanks for your help!!!
Best Regards,
Neil.
Hi Neil,
I just download the file and tried it myself and it works fine. I was able to decode the CAPWAP packets between the Access Ports and the Motorola RFS7000 Wireless LAN Switch.
Sorry I couldn’t help you.