588 Appendix A: Troubleshooting a WS Switch320657-ARemotely Monitoring TrafficRemote traffic monitoring enables you to snoop wireless traffic, by using a Distributed AP as a sniffing device. The APcopies the sniffed 802.11 packets and sends the copies to an observer, which is typically a protocol analyzer such asEthereal or Tethereal.How Remote Traffic Monitoring WorksTo monitor wireless traffic, an AP radio compares traffic sent or received on the radio to snoop filters applied to theradio by the network administrator. When an 802.11 packet matches all conditions in a filter, the AP encapsulates thepacket in a Tazmen Sniffer Protocol (TZSP) packet and sends the packet to the observer host IP addresses specified bythe filter. TZSP uses UDP port 37008 for its transport. (TZSP was created by Chris Waters of Network Chemistry.)You can map up to eight snoop filters to a radio. A filter does not become active until you enable it. Filters and theirmappings are persistent and remain in the configuration following a restart. However, filter state is not persistent. If theswitch or the AP is restarted, the filter is disabled. To continue using the filter, you must enable it again.Using Snoop Filters on Radios That Use Active ScanWhen active scan is enabled in a radio profile, the radios that use the profile actively scan other channels in addition tothe data channel that is currently in use. Active scan operates on enabled radios and disabled radios. In fact, using adisabled radio as a dedicated scanner provides better rogue detection because the radio can spend more time scanning oneach channel.When a radio is scanning other channels, snoop filters that are active on the radio also snoop traffic on the otherchannels. To prevent monitoring of data from other channels, use the channel option when you configure the filter, tospecify the channel on which you want to scan.All Snooped Traffic Is Sent in the ClearTraffic that matches a snoop filter is copied after it is decrypted. The decrypted (clear) version is sent to the observer.Best Practices for Remote Traffic Monitoring• Do not specify an observer that is associated with the AP where the snoop filter is running. This configurationcauses an endless cycle of snoop traffic.• If the snoop filter is running on a Distributed AP, and the AP used a DHCP server in its local subnet to configure itsIP information, and the AP did not receive a default gateway address as a result, the observer must also be in thesame subnet. Without a default gateway, the AP cannot find the observer.• The AP that is running a snoop filter forwards snooped packets directly to the observer. This is a one-waycommunication, from the AP to the observer. If the observer is not present, the AP still sends the snoop packets,which use bandwidth. If the observer is present but is not listening to TZSP traffic, the observer continuously sendsICMP error indications back to the AP. These ICMP messages can affect network and AP performance.