Monitor the Rogue and aWIPS Dashboard

Access the Rogue Management and aWIPS Application

Procedure

Step 1

To access the Rogue Management and aWIPS application, log in to Catalyst Center.

Step 2

From the top-left corner, click the menu icon and choose Assurance > Rogue and aWIPS.

The Rogue and aWIPS dashboard is displayed.

Note

 

Before using the Cisco Catalyst Assurance application, you must configure it. For more information, see Basic Setup Workflow.

Monitor the Rogue Management and aWIPS Dashboard

Use the Rogue and aWIPS dashboard to get a detailed threat analysis and a global view of all the rogue APs and aWIPS signatures detected in the network. The Rogue and aWIPS dashboard also provides insight into the highest-priority threats so that you can quickly identify them. The Rogue Management application uses streaming telemetry to retrieve data on rogue APs.

Procedure

Step 1

From the top-left corner, click the menu icon and choose Assurance > Rogue and aWIPS.

The Rogue and aWIPS window is displayed. By default, Catalyst Center displays the Overview dashboard.

Note

 

If a Cisco AireOS Controller does not meet the minimum software version required, a notification is displayed at the top of the dashboard. Click Go To Devices in the notification to upgrade to the supported version.

Step 2

In the Site menu, click Global.

The Site Selector slide-in pane is displayed.

  1. Enter a site name in the Search Hierarchy search bar or expand Global to choose a site.

    Note

     

    • If a site has more than 254 subsites, that site is disabled by default.

    • Site hierarchies that do not have floors are not listed in the site selector slide-in pane.

Step 3

From the Actions drop-down list, choose Rogue > Enable to enable rogue subscription on the Cisco Wireless Controller and the Cisco Catalyst 9800 Series Wireless Controller.

Step 4

Click Yes in the Warning dialog box that is displayed.

Step 5

In the Rogue and aWIPS Subscription slide-in pane, do the following to enable rogue subscription:

Note

 

The Configuration Preview tab appears only when the Configuration Preview is enabled. For information on how to enable configuration preview or ITSM approval, see the "Enable Visibility and Control of Configurations" topic in the Cisco Catalyst Center Administrator Guide.

  1. Depending on the Visibility and Control of Configurations settings, choose an available option:

    • Now: Immediately deploy the configurations.

    • Later: Schedule the date and time and define the time zone of the deployment.

    • Generate configuration preview: Review the configurations before deploying them.

      If only visibility is enabled or both visibility and control are enabled, Generate configuration preview is chosen by default, and Now and Later are dimmed (unavailable). For more information, see "Visibility and Control of Device Configurations" in the Cisco Catalyst Center User Guide.

  2. In the Task Name field, enter a task name.

  3. Click Apply.

  4. On the Performing Initial Checks window, address the following issues to continue with your current deployment:

    • Pending Operations: Wait for all pending operations to deploy or discard them.

    • Device Compliance: Fix, acknowledge, or ignore all issues.

      If you ignore any noncompliant devices, this activity is captured on the Audit Logs window.

    • Device Level Validations: Remove the unsupported configurations used in the CLI template.

      Note

       

      This check is only applicable for fabric devices. Currently the check does not validate the CLI templates for non-fabric devices.

      You can also choose to ignore the issues, but it is recommended to resolve the issues before you proceed with provisioning.

    • After addressing all the issues, click Recheck in the bottom-right corner of the window and make sure that all the validations are successful.

    For more information, see "Network Provisioning Prechecks" in the Cisco Catalyst Center User Guide.

    If you chose Now or Later, click Submit, and the device configurations will deploy at the scheduled time. You can view the task on the Tasks window.

  5. If you chose Generate configuration preview, depending on the Visibility and Control of Configurations settings, do the following:

    1. On the Preparing Devices and Configuration Models window, wait for the system to prepare the devices and generate the device configurations. This can take some time, so you can click Exit and Preview Later. To view the work item later, go to the Tasks window.

    2. On the Preview Configuration window, review the device configurations.

      For more information, see "Visibility and Control of Device Configurations" in the Cisco Catalyst Center User Guide.

    3. Do one of the following:

      • When you're ready, click Deploy or Submit for Approval.

      • If you're not ready to deploy the configurations or submit them for ITSM approval, click Exit and Preview Later. Later, go to the Tasks window, open the work item, and click Deploy or Submit for Approval.

      Note

       

      You can submit the device configurations for ITSM approval and deploy them without previewing all the configurations.

    4. In the slide-in pane, indicate when you want to deploy the configuration, choose a time zone, and if visibility and control are enabled, add notes for the IT administrator.

    5. Click Submit.

      You can check the work item’s approval status or the task’s deployment status on the Tasks window. If the work item isn’t approved, you need to resubmit the work item for ITSM approval. When it’s approved, it's deployed at the scheduled time.

Step 6

Choose Rogue > Disable to disable the rogue actions temporarily.

Step 7

Click Yes in the Warning dialog box that is displayed.

After the rogue management functionality is disabled, data from the wireless controller will not be pushed to Catalyst Center until the rogue management functionality is enabled.

Step 8

In the Rogue and aWIPS Subscription slide-in pane, do the following to disable rogue subscription:

  1. Depending on the Visibility and Control of Configurations settings, choose an available option:

    • Now: Immediately deploy the configurations.

    • Later: Schedule the date and time and define the time zone of the deployment.

    • Generate configuration preview: Review the configurations before deploying them.

      If only visibility is enabled or both visibility and control are enabled, Generate configuration preview is chosen by default, and Now and Later are dimmed (unavailable). For more information, see "Visibility and Control of Device Configurations" in the Cisco Catalyst Center User Guide.

  2. In the Task Name field, enter a task name.

  3. Click Apply.

  4. On the Performing Initial Checks window, address the following issues to continue with your current deployment:

    • Pending Operations: Wait for all pending operations to deploy or discard them.

    • Device Compliance: Fix, acknowledge, or ignore all issues.

      If you ignore any noncompliant devices, this activity is captured on the Audit Logs window.

    • Device Level Validations: Remove the unsupported configurations used in the CLI template.

      Note

       

      This check is only applicable for fabric devices. Currently the check does not validate the CLI templates for non-fabric devices.

      You can also choose to ignore the issues, but it is recommended to resolve the issues before you proceed with provisioning.

    • After addressing all the issues, click Recheck in the bottom-right corner of the window and make sure that all the validations are successful.

    For more information, see "Network Provisioning Prechecks" in the Cisco Catalyst Center User Guide.

    If you chose Now or Later, click Submit, and the device configurations will deploy at the scheduled time. You can view the task on the Tasks window.

  5. If you chose Generate configuration preview, depending on the Visibility and Control of Configurations settings, do the following:

    1. On the Preparing Devices and Configuration Models window, wait for the system to prepare the devices and generate the device configurations. This can take some time, so you can click Exit and Preview Later. To view the work item later, go to the Tasks window.

    2. On the Preview Configuration window, review the device configurations.

      For more information, see "Visibility and Control of Device Configurations" in the Cisco Catalyst Center User Guide.

    3. Do one of the following:

      • When you're ready, click Deploy or Submit for Approval.

      • If you're not ready to deploy the configurations or submit them for ITSM approval, click Exit and Preview Later. Later, go to the Tasks window, open the work item, and click Deploy or Submit for Approval.

      Note

       

      You can submit the device configurations for ITSM approval and deploy them without previewing all the configurations.

    4. In the slide-in pane, indicate when you want to deploy the configuration, choose a time zone, and if visibility and control are enabled, add notes for the IT administrator.

    5. Click Submit.

      You can check the work item’s approval status or the task’s deployment status on the Tasks window. If the work item isn’t approved, you need to resubmit the work item for ITSM approval. When it’s approved, it's deployed at the scheduled time.

Step 9

Choose Rogue > Status to view the rogue configuration job status.

Step 10

Filter the rogue subscription status by All, Failure, Success, or In Progress by clicking the respective tabs.

The Operation column shows Enable if the rogue-detection operation is enabled successfully on the wireless controller.

The Status column shows Success if the subscription configuration changes are successfully pushed to the wireless controller.

Step 11

Choose aWIPS > Enable to enable aWIPS data collection on Catalyst Center.

Step 12

Click Yes in the Warning dialog box that is displayed.

Step 13

In the Rogue and aWIPS Subscription slide-in pane, do the following to enable aWIPS subscription:

Note

 

The Configuration Preview tab appears only when the Configuration Preview is enabled. For information on how to enable configuration preview or ITSM approval, see the "Enable Visibility and Control of Configurations" topic in the Cisco Catalyst Center Administrator Guide.

  1. Depending on the Visibility and Control of Configurations settings, choose an available option:

    • Now: Immediately deploy the configurations.

    • Later: Schedule the date and time and define the time zone of the deployment.

    • Generate configuration preview: Review the configurations before deploying them.

      If only visibility is enabled or both visibility and control are enabled, Generate configuration preview is chosen by default, and Now and Later are dimmed (unavailable). For more information, see "Visibility and Control of Device Configurations" in the Cisco Catalyst Center User Guide.

  2. In the Task Name field, enter a task name.

  3. Click Apply.

  4. On the Performing Initial Checks window, address the following issues to continue with your current deployment:

    • Pending Operations: Wait for all pending operations to deploy or discard them.

    • Device Compliance: Fix, acknowledge, or ignore all issues.

      If you ignore any noncompliant devices, this activity is captured on the Audit Logs window.

    • Device Level Validations: Remove the unsupported configurations used in the CLI template.

      Note

       

      This check is only applicable for fabric devices. Currently the check does not validate the CLI templates for non-fabric devices.

      You can also choose to ignore the issues, but it is recommended to resolve the issues before you proceed with provisioning.

    • After addressing all the issues, click Recheck in the bottom-right corner of the window and make sure that all the validations are successful.

    For more information, see "Network Provisioning Prechecks" in the Cisco Catalyst Center User Guide.

    If you chose Now or Later, click Submit, and the device configurations will deploy at the scheduled time. You can view the task on the Tasks window.

  5. If you chose Generate configuration preview, depending on the Visibility and Control of Configurations settings, do the following:

    1. On the Preparing Devices and Configuration Models window, wait for the system to prepare the devices and generate the device configurations. This can take some time, so you can click Exit and Preview Later. To view the work item later, go to the Tasks window.

    2. On the Preview Configuration window, review the device configurations.

      For more information, see "Visibility and Control of Device Configurations" in the Cisco Catalyst Center User Guide.

    3. Do one of the following:

      • When you're ready, click Deploy or Submit for Approval.

      • If you're not ready to deploy the configurations or submit them for ITSM approval, click Exit and Preview Later. Later, go to the Tasks window, open the work item, and click Deploy or Submit for Approval.

      Note

       

      You can submit the device configurations for ITSM approval and deploy them without previewing all the configurations.

    4. In the slide-in pane, indicate when you want to deploy the configuration, choose a time zone, and if visibility and control are enabled, add notes for the IT administrator.

    5. Click Submit.

      You can check the work item’s approval status or the task’s deployment status on the Tasks window. If the work item isn’t approved, you need to resubmit the work item for ITSM approval. When it’s approved, it's deployed at the scheduled time.

Step 14

Choose aWIPS > Disable to disable the aWIPS actions temporarily.

Click Yes in the Warning dialog box that is displayed.

Step 15

In the Rogue and aWIPS Subscription slide-in pane, do the following to disable aWIPS subscription:

  1. Depending on the Visibility and Control of Configurations settings, choose an available option:

    • Now: Immediately deploy the configurations.

    • Later: Schedule the date and time and define the time zone of the deployment.

    • Generate configuration preview: Review the configurations before deploying them.

      If only visibility is enabled or both visibility and control are enabled, Generate configuration preview is chosen by default, and Now and Later are dimmed (unavailable). For more information, see "Visibility and Control of Device Configurations" in the Cisco Catalyst Center User Guide.

  2. In the Task Name field, enter a task name.

  3. Click Apply.

  4. On the Performing Initial Checks window, address the following issues to continue with your current deployment:

    • Pending Operations: Wait for all pending operations to deploy or discard them.

    • Device Compliance: Fix, acknowledge, or ignore all issues.

      If you ignore any noncompliant devices, this activity is captured on the Audit Logs window.

    • Device Level Validations: Remove the unsupported configurations used in the CLI template.

      Note

       

      This check is only applicable for fabric devices. Currently the check does not validate the CLI templates for non-fabric devices.

      You can also choose to ignore the issues, but it is recommended to resolve the issues before you proceed with provisioning.

    • After addressing all the issues, click Recheck in the bottom-right corner of the window and make sure that all the validations are successful.

    For more information, see "Network Provisioning Prechecks" in the Cisco Catalyst Center User Guide.

    If you chose Now or Later, click Submit, and the device configurations will deploy at the scheduled time. You can view the task on the Tasks window.

  5. If you chose Generate configuration preview, depending on the Visibility and Control of Configurations settings, do the following:

    1. On the Preparing Devices and Configuration Models window, wait for the system to prepare the devices and generate the device configurations. This can take some time, so you can click Exit and Preview Later. To view the work item later, go to the Tasks window.

    2. On the Preview Configuration window, review the device configurations.

      For more information, see "Visibility and Control of Device Configurations" in the Cisco Catalyst Center User Guide.

    3. Do one of the following:

      • When you're ready, click Deploy or Submit for Approval.

      • If you're not ready to deploy the configurations or submit them for ITSM approval, click Exit and Preview Later. Later, go to the Tasks window, open the work item, and click Deploy or Submit for Approval.

      Note

       

      You can submit the device configurations for ITSM approval and deploy them without previewing all the configurations.

    4. In the slide-in pane, indicate when you want to deploy the configuration, choose a time zone, and if visibility and control are enabled, add notes for the IT administrator.

    5. Click Submit.

      You can check the work item’s approval status or the task’s deployment status on the Tasks window. If the work item isn’t approved, you need to resubmit the work item for ITSM approval. When it’s approved, it's deployed at the scheduled time.

Step 16

Choose aWIPS > Status to view the aWIPS subscription status.

Step 17

Filter the aWIPS subscription status by All, Failure, Success, or In Progress by clicking the respective tabs.

The Operation column shows Enable if the aWIPS subscription operation is enabled successfully on the wireless controller.

The Status column shows Success if the subscription configuration changes are successfully pushed to the wireless controller.

Step 18

Use the Threats dashlets to display following information:

  • TOTAL ROGUE THREATS: Displays the total number of rogue threats.

  • TOTAL AWIPS THREATS: Displays the total number of aWIPS threats.

  • TOTAL UNIQUE ROGUE CLIENTS: Displays the total number of unique rogue clients.

  • ROGUES CONTAINED: Displays the total number of rogues contained.

The Active High Threats and High Threats Over Time graphs below the timeline slider display the threat details accordingly.

Step 19

The Active High Threats, Top Locations Affected, and High Threats Over Time graphs display information about rogue APs detected in the last three hours by default. The graph information is based on the time interval that you choose from the Hours drop-down list.

  • The options are Last 3 hours, Last 24 hours, and Last 7 days.

    Note

     
    Choose Custom to select a specific time range.

Step 20

Use the High Threats Summary dashlet to display the following information:

High Threats Summary Dashlet
Item Description

Active High Threats

Displays information about active threat levels in the form of a donut graph. You can filter the active high threats by Top 10 or All threat types.

Click each colored slice of the donut graph to view detailed information about the threats. Hover your cursor over the graph to see the number of active high threats.

Click All to display the threat types and counts in a table format.

Top Locations Affected

Displays the top five locations affected per selected site for high threats.

Step 21

Use the High Threats Over Time dashlet to display the following information:

High Threats Over Time Dashlet
Item Description

Threats Over Time

Displays detailed information about high threats over time, based on the selected time period.

Click each threat type below Total Active High Threat. Threat information is displayed in a graph view.

High threat deviation is measured on a color value scale:

  • Green color indicates threat deviation that is less than 0.

  • Orange color indicates threat deviation from 0 to 9.

  • Red color indicates threat deviation that is more than or equal to 10.

Hover your cursor over the graph to view the number of high threats that occurred at a particular time.

View Threats

Click View Threats to view the threats table. A list of high threats is displayed.

Step 22

Use the Threats By Location dashlet to view information about threats in the map view:

Location Option
Item Description

Map View

Click this toggle button to display a map view of the locations affected by threats.

Hover your cursor over the corresponding location in the map to view all the threat levels and counts.

List View

Click this toggle button to display a list view of the locations affected by threats.

Step 23

Use the Threat Setting Summary dashlet to view following information:

Threat Setting Summary Dashlet
Item Description

Allowed AP List

Displays information about the allowed AP count and configured threat level.

Click View Details to display the Allowed List window to view detailed information on the Allowed Access Point List.

Allowed Vendor List

Displays information about the allowed vendors count and configured threat level.

Click View Details to display the Allowed List window to view information on the Allowed Vendor List.

Rogue Rule

Displays information about a rule, its conditions type, rule profiles associated to it, and threat level.

Click View Details to display the Rules window to view detailed information on rogue rules.

Step 24

(Optional) Use the Tips dashlet for a direct link to workflows such as Create Allowed AP List, Create Allowed Vendor List, Create Rogue Rule, and so on.

Step 25

(Optional) Click View All to view all the available workflows.

Monitor Network Rogue Threats

Procedure

Step 1

In the Site menu, click Global.

The Site Selector slide-in pane is displayed.

  1. Enter a site name in the Search Hierarchy search bar or expand Global to choose a site.

    Note

     

    • If a site has more than 254 subsites, that site is disabled by default.

    • Site hierarchies that do not have floors are not listed in the Site Selector slide-in pane.

Step 2

Click the time range setting ( ) at the top-right corner to specify the time range of the data that you want displayed in the Threats table:

  1. From the drop-down menu, choose a time range: 3 hours, 24 hours, 7 days, or Custom.

    If you choose the Custom time range, specify the Start Date and time and the End Date and time.

  2. Click Apply.

Step 3

Use the Threats table to view detailed information about the threats in your network:

Threats Table
Item Description

Filter

Click this icon at the top-right corner of the table to filter the data to be displayed in the table based on the following criteria: ID, Threat Level, Threat MAC Address, Type, State, Connection, Detecting AP, Detecting AP Site, RSSI (dBm), SSID, Clients, Containment Status, Last Reported, and Vendor.

RSSI, SSID, and Clients are not displayed for aWIPS.

Threat Table

Displays the following information about threats in a table format:

  • Threat Level: Displays color-coded classified threat levels. Catalyst Center classifies threats into these categories:

    • High Threat

    • Potential Threat

    • Informational

  • Mac Address: Displays the MAC address of a rogue AP.

  • Type: Displays threat types.

  • State: Displays the state of a rogue AP or aWIPS attacks.

  • Source/Target: Shows whether the displayed MAC address is the source of an aWIPS attack or the target of an aWIPS attack. This column is not applicable for rogue data.

  • Connection: Displays whether the rogue AP is located on the wired network or wireless network. This column shows the aWIPS attacks on the wireless network.

  • Detecting AP: Displays the name of the AP that is currently detecting a rogue AP. If multiple APs detect a rogue, the detecting AP with the highest signal strength is displayed. This column is applicable for both rogue AP and aWIPS attacks.

  • Detecting AP Site: Displays the site location of the detecting AP. This column is applicable for both rogue AP and aWIPS attacks.

  • RSSI (dBm): Displays the RSSI value reported by the detecting AP. RSSI (dBm) is only applicable for rogue APs.

  • SSID: Displays the service set identifier that a rogue AP is broadcasting. SSID is only applicable for rogue APs.

  • Clients: Displays the number of rogue clients associated with an AP. This column is only applicable for rogue APs.

    Note

     

    The client count that is displayed in the Threats table differs from the client count displayed in the Threats 360 degrees window. This happens if the data that is processed in a Catalyst Center release earlier than 2.3.2 is migrated to Catalyst Center 2.3.2 or later. Catalyst Center 2.3.2 or later displays the correct client count for the newly processed data if the time range that is selected has the new data.

  • Containment Status: Displays the possible values (Contained, Pending, Open, and Partial) of a rogue AP. For autocontained rogue APs, the status is displayed as Contained (Auto), Pending (Auto), Open (Auto) and Partial (Auto). Wireless containment status is only applicable for rogue APs.

  • Last Reported: Displays the date, month, year, and time at which a rogue AP or aWIPS attack was last reported.

  • Vendor: Displays the rogue AP vendor information. This column is not applicable for aWIPS attacks.

Customize the data that you want displayed in the table:

  1. In the Table Appearance tab, set the table density and striping.

  2. In the Edit Table Columns tab, check the check boxes for the data that you want displayed.

  3. Click Apply.

Obtain Rogue AP and Rogue Client Details from Threat 360° View

You can quickly view the precise location details of a specific rogue AP or rogue client on a floor map, in the Threat 360° view.

Getting these details, however, depend on the detecting AP's strongest signal strength. With the Cisco Connected Mobile Experiences (CMX) or Cisco Spaces integration, you can get the exact location of your rogue AP or rogue client.

Procedure

Step 1

From the top-left corner, click the menu icon and choose Assurance > Rogue and aWIPS > Threats.

Step 2

To launch the Threat 360° view for a particular rogue AP or aWIPS threat, click the corresponding row in the Threats table.

The Threat 360° pane is displayed.

The upper part of the pane displays the following information:

  • MAC address of the rogue AP

  • Threat level

  • Threat type

  • Status

  • Vendor

  • Containment

  • Count

  • Last reported

The middle part of the pane shows the estimated location of a rogue AP or a threat on the floor map:

  • Site details and floor number.

  • Floor map shows the names of the managed APs.

Note

 

Floor Map section is not displayed for global location.

Catalyst Center makes a best effort to detect the rogue vendor name. If the vendor name isn’t available, the name is shown as “UNKNOWN.”

Step 3

Perform the following tasks, as required:

  • Click the icon at the right-hand corner of the floor map to see the IP address of the wireless controller that manages the APs, along with the reachability status.

  • Click the icon at the right-hand corner of the floor map to zoom in on a location. The zoom levels depend on the resolution of an image. A high-resolution image provides more zoom levels. Each zoom level comprises a different style map that is shown at different scales, with the corresponding details. Some maps are of the same style, but on a smaller or larger scale.

  • Click the icon to see a map with fewer details.

  • Click the icon to view the details of the map icons.

The following table provides descriptions of the floor map icons.

Table 1. Map Icons and Descriptions
Floor Map Icon Description

Devices

Access Point

Sensor

Rogue AP

Marker

Planned AP

Switch

Interferer

Client

Rogue Client

Reporting AP

Detecting AP

Average Health Score

Health score: 8-10

Health score: 4-7

Health score:1-3

Health score: Unknown

AP Status

Covered by sensor

Not covered by sensor

Step 4

The bottom area of the Threat 360° pane enables you to perform these tasks:

  • Click the Switch Port Detail tab to get rogue-on-wire details, including Host Mac, Device Name, Device IP, Interface Name, Last Updated, Port Mode, and Admin Status.

    Note

     

    • The Admin Status column shows the interface status as either UP or DOWN.

    • The Port Mode column shows the interface mode as either ACCESS or TRUNK.

    Note

     

    Cisco switches are required for rogue-on-wire detections.

  • Click the Detections tab to view information such as Detecting AP, Detecting AP Site, Adhoc, Rogue SSID, RSSI (dBM), Channels, Radio Type, SNR, State, and Last Updated.

    Note

     

    Although the wireless controller shows all detecting APs for a given BSSID, Catalyst Center shows only the strongest detecting AP for a given BSSID per wireless controller in the Threat 360° view.

  • Click the Filter () icon at the left end of the table to narrow down the search results based on Rogue SSID, RSSI, Radio Type, Security, and SNR.

  • Click the Export icon and save it to your system.

  • Click the Clients tab to view details such as MAC Address, Gateway Mac, Rogue AP Mac, IP Address, and Last Heard about the clients that are associated with the rogue AP.

  • Click the Forensic Captures tab to view details such as Detecting AP, Detecting AP Site and Last Updated.

    Note

     

    The Forensic Captures tab is shown only for aWIPS threats.

  • Click the Filter () icon at the left end of the table to narrow down the results based on your search criteria.

Download aWIPS Profile Forensic Capture from Threat 360° View

This procedure describes how to download the forensic capture of various DoS attacks from the Threat 360° view.


Note

Catalyst Center enables or disables forensic capture only on the default AP profile. You must enable or disable forensic capture in existing deployments where you have created custom AP join profiles.

Before you begin

You must verify the network connectivity between the APs and Catalyst Center.

Procedure

Step 1

From the top-left corner, click the menu icon and choose Workflows > Rogue and aWIPS > Threats.

Step 2

In the Threat MAC address column, click the aWIPS attack link.

The Threat 360 window is displayed.

Step 3

Click the Forensic Capture tab to view information such as Detecting AP, Alarm ID, CaptureFilename, and Last Updated.

Step 4

In the Capture Filename column, click the pcap file to download the aWIPS profile forensic capture.

Step 5

Click Download All to download all the pcap files.

Step 6

Click the Filter icon to narrow down the search results based on Detecting AP.

Step 7

Click the Export icon to save the CSV file to your workspace.

Note

 

Catalyst Center shows a maximum of 50 forensic captures at a time.