Blogs

The Aruba controller has had built-in packet capture functionality since day one. It supports streaming traffic to a host or saving a packet capture (.pcap) file to the controller for later analysis. The packet capture in ArubaOS 6.3 adds the capability to decide whether you want to capture a client's encrypted, or decrypted traffic, or both. It also adds the ability to see a tcpdump-style output of captured traffic from the controller without having to open a dedicated program to see a packet capture. Here is a demonstration:

Check to see if anything is being captured:

(3600-Controller) #show packet-capture

Active Capture Destination
--------------------------
Destination    Local-Filesystem


Active Capture (Controlpath)
----------------------------
Interprocess   Disabled   
Sysmsg         Disabled   
TCP            Disabled   
UDP            Disabled   
Other          Disabled   


Active Capture (Datapath)
-------------------------
Wifi-Client    Disabled   
Ipsec          Disabled   

 Next, I want to make sure that the data path packet capture buffer is zeroed out:

(3600-Controller) #packet-capture reset-pcap datapath-pcap

 Then I want to start a packet capture of a client's decrypted traffic, because I have a connectivity issue that I want to debug:

(192.168.1.3) #packet-capture datapath wifi-client e8:99:c4:92:c9:5b ?
all                     Capture both decrypted and encrypted packets
decrypted               Capture decrypted packets only
encrypted               Capture encrypted packets only

(192.168.1.3) #packet-capture datapath wifi-client e8:99:c4:92:c9:5b decrypted

 After generating traffic with the client, I want to take a look at and analyze the traffic without having to open another program, so I will use the "show packet-capture datapath-pcap" command.  I could have also done a "tar logs tech-support" from the commandline or the GUI and the datapath.pcap file of the packet capture would be waiting for me in that file.  

Let me see what is in the packet capture from the commandline:

(192.168.1.3) #show packet-capture datapath-pcap 

04:43:13.698113 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from e8:99:c4:92:c9:5b, length 314  [DHCP FROM MY CLIENT]
04:43:13.728016 IP 192.168.1.254.67 > 192.168.1.96.68: BOOTP/DHCP, Reply, length 305 [DHCP REPLY FROM MY DHCP SERVER]
04:43:14.230764 arp who-has 192.168.1.254 tell 192.168.1.96  [ARP for my default gateway]
04:43:14.231593 arp reply 192.168.1.254 is-at 74:9d:dc:4b:08:41 [ARP reply from my default gateway]
04:43:14.234381 IP 192.168.1.96.2679 > 192.168.1.254.53:  11571+ A? www.google.com. (32) [Resolving www.google.com at my dns server]
04:43:14.265353 IP 192.168.1.254.53 > 192.168.1.96.2679:  11571 5/0/0 A 74.125.227.147, A 74.125.227.145, A 74.125.227.144, A 74.125.227.146, A 74.125.227.148 (112) [My dns server responding with dns records for www.google.com]
04:43:14.269594 IP 192.168.1.96.47064 > 74.125.227.147.80: S 3401926063:3401926063(0) win 65535 <mss 1460,sackOK,timestamp 48220 0,nop,wscale 6> [my client opening www.google.com on port 80 on the ip address returned from dns server]
04:43:14.270227 IP 74.125.227.147.80 > 192.168.1.96.47064: S 3020078374:3020078374(0) ack 3401926064 win 5792 <mss 1386,sackOK,timestamp 56102669 48220,nop,wscale 7> [www.google.com responding to the http request]

 That is just a shortened view of the tcpdump-style output for that client.

There are more features in packet capturing in ArubaOS 6.3,  and this is just an example of how you can be more productive doing packet captures in ArubaOS 6.3.   You don't have to open a separate packet capture program.  Since the packet capture is centralized, you can also do things that were once tricky before like capturing traffic of roaming clients and capturing decrypted traffic (used to need an ACL in a role to do that).

In short, this just another tool that Aruba has improved in ArubaOS 6.3.