Usage Traffic that matches a snoop filter is copied after it is decrypted. The decrypted (clear) version is sent to the observer.

For best results:

Do not specify an observer that is associated with the AP where the snoop filter is running. This configuration causes an endless cycle of snoop traffic.

If the snoop filter is running on a Distributed AP, and the AP used a DHCP server in its local subnet to configure its IP information, and the AP did not receive a default router (gateway) address as a result, the observer must also be in the same subnet. Without a default router, the AP cannot find the observer.

The AP that is running a snoop filter forwards snooped packets directly to the observer.This is a one-way communication, from the AP to the observer. If the observer is not present, the AP still sends the snoop packets, which use bandwidth. If the observer is present but is not listening to TZSP traffic, the observer continuously sends ICMP error indications back to the AP. These ICMP messages can affect network and AP performance.

Examples: The following command configures a snoop filter named snoop1 that matches on all traffic, and copies the traffic to the device that has IP address 10.10.30.2:

DWS-1008#set snoop snoop1 observer 10.10.30.2 snap-length 100

The following command configures a snoop filter named snoop2 that matches on all data traffic between the device with MAC address aa:bb:cc:dd:ee:ff and the device with MAC address 11:22:33:44:55:66, and copies the traffic to the device that has IP address 10.10.30.3:

DWS-1008# set snoop snoop2 frame-type eq data mac-pair aa:bb:cc:dd:ee:ff 11:22:33:44:55:66 observer 10.10.30.3 snap-length 100

See Also:

clear snoop

set snoop map

set snoop mode

show snoop info

show snoop stats

D-Link DWS-1008 CLI Manual

499

Page 502
Image 502
D-Link dws-1008 manual DWS-1008#set snoop snoop1 observer 10.10.30.2 snap-length