aziah zakaria wrote:
Im currently doing an analysis on LWAPP packets and i got to know that 
Ethereal software can capture LWAPP packets.
I don't think we say anywhere that it can capture them.
We say it can *dissect* them, but its ability to dissect packets of a 
particular sort doesn't mean that it can necessarily capture those 
packets - it might have to read them from a capture done by another machine.
Ethereal's ability to capture packets depends on
	1) the link-layer type on which you're trying to capture
and
	2) the limitations of the network interface on which you're capturing, 
the driver for that network interface, and the packet capture mechanism 
the driver plugs into.
It doesn't depend directly on something as high-level as whether the 
packets are LWAPP packets or not.
However, when I tried to 
capture LWAPP packets in live capture, the results shown that it only 
captures LDAP packets instead of LWAPP packets.
Are you trying to capture them on an 802.11 network?  If so, there might 
be some limitations on the traffic your OS, or network card.
At least according to draft-ohara-capwap-lwapp-00, LWAPP goes between 
access points and access routers, not between APs and end-stations.  As 
such, you might only see LWAPP traffic if you're capturing in 
promiscuous mode, and it might even work only if you're in monitor mode. 
 If you're capturing with a WinPcap-based application (such as 
Ethereal) on Windows, promiscuous mode is likely not to work very well, 
and monitor mode won't work at all.  My advice to anybody who wants to 
use Ethereal to capture 802.11 traffic on Windows would be to try a 
Centrino-based machine - I haven't tried doing 802.11 capturing on any 
Windows machine, but I infer from some code changes somebody sent in for 
Ethereal that promiscuous mode *might* work on Windows on Centrino 
machines.  I have not seen anybody else report much success at all with 
promiscuous 802.11 captures on Windows.  (My advice to anybody who wants 
to use a PC to capture 802.11 traffic with Ethereal is to run a recent 
Linux distribution, FreeBSD 5.2 or later, or NetBSD 2.0-beta or later, 
as at least some of the drivers they have support monitor mode.)