Here is a post on Wi-Fi PCAP with Mist APs. In the previous two posts, we looked at the same topic with UniFi and Cisco Meraki APs. The topology diagram is very simple, as shown below. Similar to the previous tests, while capturing on the AP, I also took another multi-channel PCAP using WLANpi and Airtool 2 for comparison.
Taking PCAP using mist APs is really simple. You have to go to ‘Site > Packet Captures‘ and select AP. You can refer to this document for more details.
If you have many APs, as in a production environment, you need to filter for specific APs, clients, WLANs, and radio bands to minimize the size of the capture. In my test environment, I only had one AP and didn’t want to apply any filters. I modified the packets per AP (set to 0 for unlimited) and the bytes per packet to 2000. I also set ‘Local capture’ instead of sending it to Mist Cloud for live viewing.
Once the PCAP is taken, you can download the ‘captured files’ by simply clicking on it in the top right-hand corner of the same screen. You can download captures from the past three days that you have taken.
I kept the ‘mist-1X’ SSID on 5 GHz, and 6 GHz. I connected a few different clients to the WPA3-Enterprise and WPA3-Personal SSIDs. Here is the two captures
- Mist AP capture (mistap-5-6ghz.pcapng)
- WLANPi Capture (airtool_ap45-5-6ghz.pcapng)
Like Cisco Meraki AP, Mist AP gives you a decrypted view of secure SSID traffic. Here is a client connecting to WPA3-Enterprise SSID. You can filter two clients traffic using wlan.addr == 4e:a7:bc:44:b3:64 && not wlan.fc.type == 1 and wlan.addr == ea:3a:75:d2:53:f6 && not wlan.fc.type == 1 display filter.
Here is a WPA3-Personal SSID client connectivity. Note that this client (wlan.addr == a0:02:a5:e0:54:5c && not wlan.fc.type == 1) is far from the AP and you will see many retransmitted frames.
One thing I noticed is that the Mist AP PCAP files are smaller in comparison. Here are the capture file properties: the Mist capture ran for 3:21, while the Airtool capture ran for 2:50. Although the Airtool capture duration was shorter, it captured 20,849 frames, whereas the Mist AP capture recorded only 3,867 frames.
It seems most of the control frames and beacon frames are not being captured in Mist PCAP. Below is the comparison of frames being captured.
It also seems that the decrypted view is only for data frames. The protected management frames (robust action frames) do not appear to be decrypted. You can filter action frames using wlan.fc.type_subtype == 0x000d or wlan.fc.type_subtype == 0x000e
Here are the Cisco Meraki AP PCAP file action frames. You can see their category code which means frames are decrypted.
I am not sure it is intentional to limit those control & management frames during capture.
Update: Westly Purvis from Mist clarified why it is happening.
