Cisco AP debugs (Client debugging)

Debugging Management frame exchange

AP Debug commands used

debug dot11 dot11Radio 1 monitor address
debug dot11 dot11Radio 1 mgmt

WLC debugs

debug client

Wireless sniffer trace using AP in sniffer mode

https://supportforums.cisco.com/document/75236/collecting-wireless-sniffer-trace-using-cisco-lightweight-ap-sniffer-mode

AP debug output (some output maybe removed due to space constraints)

*Nov 3 03:02:43.923: 58A3329B t 12 0 - C000 000 CD3B44 B544FF B544FF 0100 deauth l 2 ------> client deauthenticated from WLC

reason 252

note:

- in the above line the 't' in the portion '58A3329B t 12' stands for transmitted packet
- CD3B44 is the last 3 octets of the client mac address(00:27:10:cd:3b:44)

*Nov 3 03:02:44.399: 58AA6FE2 r 6 71/82/67/77 31- B000 03C B544FF CD3B44 B544FF 17B0 auth l 6 ------> open authentication request from client

algorithm 0
sequence 1

status 0

note:

- in the above line the 'r' in the portion '58AA6FE2 r 6' stands for received packet
- CD3B44 is the last 3 octets of the client mac address(00:27:10:cd:3b:44)
- sequence 1 (1st packet in the auth seq)
- as you can see above after the deauth you do not see the probe request and probe response frames. This is because the debugs on print driver logs and not radio logs (probe req, response, RTS, CTS etc are radio level events which do not show up on AP debugs)
- the hex number 17B in the portion 'B544FF 17B0 auth l 6' is the sequence number of the frame. The decimal value which is seen on the packet capture is 379
- the '6' at the end of the line in the portion '17B0 auth l 6' is the length in bytes of the 802.11 frame. in this case it is 6 bytes.

*Nov 3 03:02:44.399: 58AA70F5 t 12 0 - B000 5000 CD3B44 B544FF B544FF 0710 auth l 6 ------> open auth response from AP

algorithm 0
sequence 2

status 0

*Nov 3 03:02:44.399: 58AA7470 r 6 71/82/67/77 31- 0000 03C B544FF CD3B44 B544FF 17C0 assreq l 130 ------> Association request from client

cap 11 infra privacy
listen interval 10
ssid viten_11r
rates 98 24 B0 48 60 6C
rsn1 mcst aes ucst aes keymgmt wpa2 cap 3C00
221 - 0 50 F2 2 0 1 0
ccxver 4
221 - 0 40 96 B 1
aironet PC2 load 0 clients 15104 hops 1 device 66-885E
refresh 10 CW 15-1023 flags 18 distance 0

45 - 3C 9 17 FF FF FF 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

note:

- in the above portion 'B544FF CD3B44 B544FF' refers to last 3 octets of bssid, source/ client mac, destination / bssid mac
- ssid viten_11r shows the ssid 'viten_11r)
- rsn1 mcst aes group cipher suite is AES
- ucst aes pairwise cipher suite is AES
- keymgmt wpa2 Auth key management is WPA2
- cap 3C00 RSN capabilities (0x003c)

- 221 - 0 50 F2 2 0 1 0 the numbers align to the fields shown in the pic (example: 00-50-f2 --> OUI for Microsoft)

- ccxver 4 implies client is CCXv4 capable
- 221 - 0 40 96 B 1 the number align to the fields shown below (example: 00-40-96 --> OUI Aironet)

*Nov 3 03:02:44.403: 58AA811B t 12 0 - 1000 000 CD3B44 B544FF B544FF 0720 assrsp l 150 ----> Association response from AP
cap 11 infra privacy
status 0
aid C001
rates 98 24 B0 48 60 6C
45 - AC 19 1B FF FF FF 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
61 - 3C 8 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
aironet Viten_2700_2 load 0 clients 1 hops 0 device 8F-4D00
refresh 10 CW 15-1023 flags 40 distance 0
IP 192.168.162.22 0
ccxver 5
221 - 0 40 96 B 1

221 - 0 50 F2 2 1 1 80 0 3 A4 0 0 27 A4 0 0 42 43 5E 0 62 32 2F 0

note:

- Viten_2700_2 - this is the AP name
- IP 192.168.162.22 - this is the WLC ip address

*Nov 3 03:02:44.403: 58AA89E5 t 12 0 - 8802 000 CD3B44 B544FF B544FF 0110 q7 l66 -----> EAP Identity request sent by the WLC

EAPOL2 EAP id 1 req ident 0 "networkid=viten_11r,nasid=Viten_5508_1,portid=13"

note:

- q7 in the portion 'B544FF 0110 q7 l66' is the priority of the frame (TID)
- EAPOL2 EAP id 1 -- EAP ID 1 (request)
- viten_11r - this is the ssid name

*Nov 3 03:02:44.443: 58AB1D97 r 12 71/81/67/77 31- 8801 030 B544FF CD3B44 B544FF 0000 q0 l23 -----> EAP Identity response sent by client

EAP id 1 resp ident "viten1"

*Nov 3 03:02:44.447: 58AB349A t 12 0 - 8802 000 CD3B44 B544FF B544FF 0120 q7 l18 ----> EAP Request, TLS sent to the client

EAPOL2 EAP id 229 req tls 20

*Nov 3 03:02:44.447: 58AB360E r 12 71/82/67/77 31- 8801 030 B544FF CD3B44 B544FF 0010 q0 l18 ----> EAP Response by client, desired EAP-PEAP

EAP id 229 resp nak 19

*Nov 3 03:02:44.451: 58AB410A t 12 0 - 8802 000 CD3B44 B544FF B544FF 0130 q7 l18

EAPOL2 EAP id 230 req peap 21

*Nov 3 03:02:44.451: 58AB4412 r 6 71/81/67/77 31- 8801 030 B544FF CD3B44 B544FF 0020 q0 l164
EAP id 230 resp peap 8000 0000 8E16 0301 0089 0100 0085 0301 5457 DEA6
64F5 5B92 7196 7AF2 2A07 1299 7DB3 CBE7 3C33 CF81 472C 392A 0569 BB24 20B9

A470 5DE9 8E43 450D DABF 929C 1EE6 8B2C 7DD5 5CEB 7057 1A08 03F3 C2B0 023D

*Nov 3 03:02:44.455: 58AB52C2 t 12 0 - 8802 000 CD3B44 B544FF B544FF 0140 q7 l670
EAPOL2 EAP id 231 req peap 0016 0301 004A 0200 0046 0301 5457 DEA6 F905
097A 6F74 97DD D240 5FC5 7C05 49D9 6A47 0307 D915 FA57 70FD 328E 2040 47BD

C858 03B7 4031 CFB9 1F3B 572F DB31 798C 2384 956C 9706 3020 BDA0 1F43 6600

*Nov 3 03:02:44.455: 58AB5721 r 6 72/75/59/72 39- 8801 030 B544FF CD3B44 B544FF 0030 q0 l220
EAP id 231 resp peap 8000 0000 C616 0301 0086 1000 0082 0080 7F14 6A11
EBA1 0129 AFE3 420D 0EA9 5D25 FAC9 CCEF CBB6 6F70 9771 F91F 4EEA A390 DF57

0153 8A48 6F70 0927 475C 8711 B6C1 FC27 2D54 2ABD 4B69 65B3 10E5 A184 5239

*Nov 3 03:02:44.463: 58AB6BCF t 12 0 - 8802 000 CD3B44 B544FF B544FF 0150 q7 l77
EAPOL2 EAP id 232 req peap 0014 0301 0001 0116 0301 0030 92B7 37AE B0A7
2F2C 954A 8E3F B589 FF0E 8864 B235 EAC4 5A8E A093 8302 77A1 E62E D9D4 07DD

EE7C 9D14 4952 258F B2CA 42D6

*Nov 3 03:02:44.463: 58AB711E r 12 71/82/67/77 31- 8801 030 B544FF CD3B44 B544FF 0040 q0 l18

EAP id 232 resp peap 00

*Nov 3 03:02:44.467: 58AB7CA4 t 12 0 - 8802 000 CD3B44 B544FF B544FF 0160 q7 l55
EAPOL2 EAP id 233 req peap 0017 0301 0020 2117 B9A8 DD5A D550 F51E 58ED

6FC9 6083 60B0 E735 B30C BAD9 ADF1 BAD6 27CF B465

*Nov 3 03:02:44.467: 58AB7E31 r 12 71/82/67/77 31- 8801 030 B544FF CD3B44 B544FF 0050 q0 l55
EAP id 233 resp peap 0017 0301 0020 B2F4 234F E5EC C72B 55DD 16BF A498

2CFC 152A 8B08 C2B0 C92E 0E7C 3EAA 1CAD 347D

*Nov 3 03:02:44.471: 58AB88DF t 12 0 - 8802 000 CD3B44 B544FF B544FF 0170 q7 l87
EAPOL2 EAP id 234 req peap 0017 0301 0040 A99D 8560 D7C9 B573 7315 13F0
E409 B497 BEFC A58E DABA 4816 1157 67E7 FC65 1C11 2C77 6DBF 232F DC69 93B3

FD8C 9AB5 4910 0D34 61A6 4091 36E1 8282 549C CAAB A6B0

*Nov 3 03:02:44.471: 58AB9390 r 12 71/82/67/77 31- 8801 030 B544FF CD3B44 B544FF 0060 q0 l119
EAP id 234 resp peap 0017 0301 0060 777D 3B3F 29B6 4690 AF72 EB98 E5F8
F6AF 206B 872F 268B 9587 561A 4344 DE87 AE93 6E68 3855 07A4 3DAE F990 F4CF

1097 F352 2DF9 4DFB DEE0 A48E C928 4CA8 487A 50CF A945 9E81 CE62 1C95 E669

*Nov 3 03:02:44.479: 58ABA9CE t 12 0 - 8802 000 CD3B44 B544FF B544FF 0180 q7 l103
EAPOL2 EAP id 235 req peap 0017 0301 0050 B568 09AF EC38 213B E300 4B69
084E 1D86 A765 BBB9 275C 3AAA 6DD5 E10A 0389 303C 78E2 EBED 0C1B 2FD9 6977

980B 9153 7BB7 3EE8 C828 BC06 09CB DC79 C145 C334 731B 3BAB F755 3172 BD03

*Nov 3 03:02:44.479: 58ABAD68 r 12 71/82/67/77 31- 8801 030 B544FF CD3B44 B544FF 0070 q0 l55
EAP id 235 resp peap 0017 0301 0020 1F51 0FDF 0F75 18B3 48EE 4E89 E59A

3292 BA81 6069 F5E3 D98D 7004 E139 8D1B 3636

*Nov 3 03:02:44.483: 58ABB805 t 12 0 - 8802 000 CD3B44 B544FF B544FF 0190 q7 l55
EAPOL2 EAP id 236 req peap 0017 0301 0020 48EE 3C2C 3D01 CF60 845E 9936

A8CB F885 F7DC 291A 4764 152D FAD7 AC75 85CE 8087

*Nov 3 03:02:44.483: 58ABBC17 r 12 71/82/67/77 32- 8801 030 B544FF CD3B44 B544FF 0080 q0 l55
EAP id 236 resp peap 0017 0301 0020 F9CE B1A1 517A 4AC1 D62E 1481 5C4F

C0EE A2CE FA79 2A15 5D1F 3708 7B75 FE6D A6BA

*Nov 3 03:02:44.503: 58AC0B8E t 12 0 - 8802 000 CD3B44 B544FF B544FF 01A0 q7 l16 -----> EAP Success

EAPOL2 EAP id 236 success

*Nov 3 03:02:44.503: 58AC0E49 t 12 0 - 8802 000 CD3B44 B544FF B544FF 01B0 q7 l129 -----> EAPOL Key 1
EAPOL2 EAPOL key desc 02 008A 0010 0000 0000 0000 0000 A1AA 18D1 F3E4
08F1 674E 9EEC 2B3F 987D 21D0 C4EA 002E CA0B 2BA4 F00B F679 FE6A 0000 0000

0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000

*Nov 3 03:02:44.507: 58AC208A r 12 71/82/67/77 31- 8801 030 B544FF CD3B44 B544FF 0090 q0 l131 -----> EAPOL Key 2
EAPOL key desc 02 010A 0000 0000 0000 0000 0000 4B39 2030 98F9 B251 E730
8E5E AE02 0A57 A2BA A872 9A6A 2448 87D4 802F B44F 41AF 0000 0000 0000 0000

0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 46F7 7C48 5D22

*Nov 3 03:02:44.511: 58AC27DB t 12 0 - 8802 000 CD3B44 B544FF B544FF 01C0 q7 l163 -----> EAPOL Key 3
EAPOL2 EAPOL key desc 02 13CA 0010 0000 0000 0000 0001 A1AA 18D1 F3E4
08F1 674E 9EEC 2B3F 987D 21D0 C4EA 002E CA0B 2BA4 F00B F679 FE6A 0000 0000

0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 FB74

*Nov 3 03:02:44.511: 58AC295D r 12 71/82/67/77 31- 8801 030 B544FF CD3B44 B544FF 00A0 q0 l107 -----> EAPOL Key 4
EAPOL key desc 02 030A 0000 0000 0000 0000 0001 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000

0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 6B5F CBE9 D317

*Nov 3 03:02:47.323: 58D71BF7 t 12 0 - D000 4000 CD3B44 B544FF B544FF 01D0 action l 9 -----> Action Frame (Add Block Ack Request / ADDBA)

addba_req tok 1 param 1002 timeout 0 seqnum 160

note:

- timeout 0 seqnum 160 --- Block Ack Parameters
- the 16 in the portion 'timeout 0 seqnum 160' is the sequence number (22 in decimal)

*Nov 3 03:02:47.327: 58D71D74 r 12 71/82/67/77 31- D000 030 B544FF CD3B44 B544FF 17D0 action l 9 -----> Action Frame (Add Block Ack Response)

addba_rsp tok 1 param 1002 timeout 5000 status 0

*Nov 3 03:02:47.327: 58D71E50 t 12 0 - D000 4F00 CD3B44 B544FF B544FF 01E0 action l 6 -----> Action Frame (Delete Block Ack)

delba param 800 reason 39