Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Creating and Managing RF Snooping Filter Profiles

    When active scan is enabled in a Radio profile, the radios with the profile actively scan other channels in addition to the data channel that is currently in use. Active scan operates on enabled radios and disabled radios. In fact, using a radio in sentry mode as a dedicated scanner provides better rogue detection because the radio can spend more time scanning on each channel.

    When a radio is scanning other channels, active snoop filters on the radio also snoop traffic on the other channels. To prevent monitoring of data from other channels, use the channel option when you configure the filter, to specify the channel on which you want to snoop.

    Managing Snooping Filter Profiles

    From the Manage RF Snooping page, you can:

    • Create a new RF Snooping profile by clicking Add. For directions, see Creating an RF Snooping Filter Profile.
    • Modify an existing RF Snooping profile by selecting it and clicking Edit.
    • Assign a RF Snooping profile to access points by selecting the profile and clicking Assign. For directions, see Assigning RF Snooping Filter Profiles to Access Points.
    • Edit an existing RF Snooping profile by selecting it and clicking Edit Assign.
    • Delete a RF Snooping profile by selecting site name and clicking Delete.

      Tip: You cannot delete a profile that is in use. To see the current state of a profile, select the site name and click Details.

    • Clone a RF Snooping profile by selecting a profile and clicking Clone.

    Table 1 describes the information provided about RF Snooping profiles on the Manage Switching Profiles page. This page lists all RF Snooping profile defined for your network, regardless of the scope you selected in the network view.

    Table 1: RF Snooping Profile Information

    Field

    Description

    Snoop Filter Name

    Profile name up to 15 alphanumeric characters.

    Enabled

    A snooping filter can be disabled or enabled.

    Owner

    Login of user who created the Snoop Filter Profile.

    Description

    Description for the snoop filter.

    Assignment State

    Displays the assignment state of the profile. A profile can be:

    • Unassigned—When the profile is not assigned to any object.
    • Deployed—When the profile is assigned and is deployed from Deploy mode.
    • Pending Deployment—When the profile is assigned, but not yet deployed in the network.

    Creation Time

    Date and time when the profile was created.

    Last Updated Time

    Date and time when the profile was last modified.

    User Name

    The username of the user who created or modified the profile.

    Creating an RF Snooping Filter Profile

    To add an RF Snooping Filter Profile, follow these steps:

    1. Under Views, select one of these options: Logical View, Location View, Device View or Custom Group View.

      Tip: Do not select Dashboard View, Datacenter View, or Topology View.

    2. Click in the Network Director banner.
    3. In the Tasks pane, expand Wireless, expand Profiles, and then click RF Snooping.

      The Manage RF Snooping Profile page appears, displaying the list of currently configured RF Snooping profiles.

    4. Click Add.

      The Create RF Snooping Profile page opens.

    5. Provide the RF Snooping settings listed in Specifying RF Snooping Settings.
    6. Click Done.

      The new RF Snooping profile is added to the list on the Manage RF Snooping Profile page.

    Specifying RF Snooping Settings

    Specify the RF Snooping settings described in Table 2.

    Table 2: RF Snooping Settings

    Field

    Description

    Snoop Filter Name

    Type a snooping filter name up to 15 characters long.

    Description

    Provide a description of the snooping filter profile.

    Enable

    Turn the Snooping profile on and off by adding a check mark to enable it or removing the check mark to disable it.

    Snoop Observer

    You can either select an existing snooping observer or you can create a new snooping observer.

    If the snooping filter meets these conditions, the observer must also be in the same subnet.

    • Filter is running on a distributed access point.
    • Access point used a DHCP server in a local subnet to configure the IP information, and the access point did not receive a default router (gateway) address as a result, Without a default router, the access point cannot find the observer.

    Tip: Do not specify an observer associated with the access point with an assigned snooping filter. This configuration causes an endless cycle of snooping traffic.

    Task: Select an existing snooping observer

    1. Click Select.

      The Select Snooping Observer window opens.

    2. Place a check mark next to one of the snoop observers listed in the Select Snooping Observer window.
    3. Click Select in the Select Snooping Observer window.

      The selection window closes and the selected observer now appears in the Observer Name field.

    Task: Create a new snooping observer

    1. Click Create.

      The Create Snooping Observer window opens.

    2. Provide the following settings:
      • Name for the snooping observer 1-15 characters long.
      • Target IP Address of the snoop observer.
      • Optionally enable Snap Length Limit and provide a snap length in bytes.

        Snap length specifies the maximum number of bytes to capture. If you do not specify a length, the entire packet is copied and sent to the observer. Juniper Networks recommends specifying a snap length of 100 bytes or less.

    3. Optionally, enable Frame Gap Limit and provide a frame gap value in milliseconds.

      Frame gap refers to the minimum time period allowed between transmission of packets.

    4. Select a Mode for the snoop observer:
      • tzsp: When an 802.11 packet matches all conditions in a filter, the access point encapsulates the packet in a Tazmen Sniffer Protocol (TZSP) packet and sends the packet to the observer host IP addresses specified by the filter. TZSP uses UDP port 37008 for transport.
      • batched tzsp: Every captured packet matching a configured filter will be encapsulated in a TZSP header and snoop record header and marshaled in a buffer maintained on a per snoop observer basis, for later transmission. The marshaled snoop packets will be copied to a UDP datagram and sent to the observer as soon as the buffer size exceeds the UDP datagram data field size.
    5. Click Done in the Create Snoop Observer window.

      The window closes and the created observer now appears in the Observer Name field.

    Snooping Conditions

    The snooping conditions specify the match criteria for packets. Conditions in the list are appended. Therefore, to be copied and sent to an observer, a packet must match all snooping conditions. You can specify up to eight of the following conditions in a filter, in any order or combination:

    • Frame Type
    • Channel
    • BSSID
    • Transmitter Type
    • Source MAC Address
    • Destination MAC Address
    • MAC Host
    • MAC Pair
    • Direction
    Task: Add a Snooping Condition

    A snooping condition consists of three parts, a Type, an Operation, and a Direction. The end result resembles an equation. To create a condition, Click Add under Snooping Conditions. The Create Snooping Condition window opens with three conditions, a Type, an Operation, and a third attribute. You can create eight of the following combinations:

    TypeOperationThird Attribute

    Frame Type

    Equals or Not Equals

    Frame Types: Management, Control, Data, Beacon, or Probe

    Direction

    Equals or Not Equals

    Direction: Receive or Transmit

    Channel

    Equals or Not Equals

    Channel: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14

    BSSID

    Equals or Not Equals

    When the operation type is Glob the fields OUID and Vendor Name are available.

    • Glob—Indicate a host address. An asterisk like this * (the default) is a wildcard meaning all hosts.
    • OUID—Indicate a vendor’s OUID code.

    Transmitter Type

    Equals or Not Equals

    Transmitter Type: Member AP

    Source MAC,

    • Equals—EQ
    • Not Equals—NEQ
    • Less than—LE
    • Greater than—GE
    • Wild card pattern— Glob

    When the operation type is Glob the fields OUID and Vendor Name are available.

    • Glob—Indicate a host address. An asterisk like this * (the default) is a wildcard meaning all hosts.
    • OUID—Indicate a vendor’s OUID code.

    Destination MAC

    • Equals—EQ
    • Not Equals—NEQ
    • Less than—LE
    • Greater than—GE
    • Wild card pattern— GLOB

    When the operation type is Glob the fields OUID and Vendor Name are available.

    • Glob—Indicate a host address. An asterisk like this * (the default) is a wildcard meaning all hosts.
    • OUID—Indicate a vendor’s OUID code.

    MAC Host

    • Equals—EQ
    • Not Equals—NEQ
    • Less than—LE
    • Greater than—GE
    • Wild card pattern— GLOB

    When the operation type is Glob the fields OUID and Vendor Name are available.

    • Glob—Indicate a host address. An asterisk like this * (the default) is a wildcard meaning all hosts.
    • OUID—Indicate a vendor’s OUID code.

    MAC Pair

    Type two MAC addresses

    Task: Edit a Snooping Condition

    Task: Edit a Snooping Condition

    1. Select an existing snooping condition from the list of Snooping Conditions on the Create RF Snooping Filter Profile page.
    2. Click Edit.

      The Edit Snooping Condition window opens with the Type, Operation, and Direction of the condition displayed.

    3. Make any needed changes to the condition and then click Done.

      The Edit Snooping Condition window closes and the condition is updated in the Snooping Condition list.

    Task: Delete a Snooping Condition

    Task: Delete a Snooping Condition

    1. Select an existing snooping condition from the list of Snoop Conditions on the Create RF Snooping Filter Profile page.
    2. Click Delete.

      The condition disappears from the Snoop Condition list.

    Note: The AP running a snooping filter forwards snooped packets directly to the observer. This is a one-way communication, from the AP to the observer. If the observer is not present, the access point still sends the snooped packets, which uses bandwidth. If the observer is present but is not listening to TZSP traffic, the observer continuously sends ICMP error indications back to the access point. These ICMP messages can affect network and access point performance.

    What To Do Next

    Assign the Snooping Filter Profile to an access point following the directions in Assigning RF Snooping Filter Profiles to Access Points. You can also map a Radio profile to a snooping profile—see Creating and Managing a Radio Profile.

    Modified: 2017-04-20