Report of distinct count of MAC addresses per sess...

lunatik280 · ‎01-26-2013

Greetings Community,

I'm trying to figure out how to create a daily and weekly report that captures each unique patron's wireless session from our Cisco Aironet WAP based on each distinct MAC address counted. Is it possible to calculate session times per each unique association/disassociation?

The following log events occur for each device that associates and disassociates with the WAP:

Jan 26 10:36:22 10.10.30.5 15016: *Jun 25 14:38:31: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 34aa.3c7b.4cd1 Associated KEY_MGMT[NONE]

Jan 26 10:36:22 10.10.30.5 15017: *Jun 25 15:23:14: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 34aa.3c7b.4cd1 Reason: Sending station has left the BSS

Any support/guidance would be very appreciated!

lguinn2 · ‎01-27-2013

This may work. Try it, but be aware that the transaction command can use a lot of memory and be impractical for very large data sets.

yoursearchhere
| transaction ip mac startswith="DOT11-6-ASSOC:" endswith="DOT11-6-DISASSOC"
| stats count as NumberOfSessions dc(mac) as NumofPatrons avg(duration) as AvgSessionTime
| fieldformat AvgSessionTime=tostring(AvgSessionTime,"duration")

or, if you don't want the summary statistics

yoursearchhere
| transaction ip mac startswith="DOT11-6-ASSOC:" endswith="DOT11-6-DISASSOC"
| eval SessionTime = tostring(duration,"duration")
| eval StartTime=strftime(_time,"%x %X")
| table mac StartTime SessionTime

These searches assume that you have extracted the ip and mac fields. If you have not, do this

yoursearchhere
| rex "\d{2}:\d{2}:\d{2}\s+(?<ip>\d+\.d+\.d+\.d+)\s.*?Station\s+(?<mac>.{4}\..{4}\..{4})"
...followed by the rest of the commands ...

HTH

Report of distinct count of MAC addresses per session

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio