Aruba Instant & Cloud Wi-Fi

Reply
Chief Airhead
Posts: 1,009
Registered: ‎07-13-2010

How-to: IAP wireless packet capture

[ Edited ]

Aruba Instant version 6.1.2.3-2.0.0.3 and above have the pcap command to do the wireless packet capture on the IAP. This command is not expose on the Web UI and have to run from the CLI.

1. Enable Telnet option to the IAP. By default Telnet or terminal access is disable.

2. Use "show ap monitor status" to identify the base BSSID.

WLAN Interface
---------------
bssid              scan    monitor  probe-type  phy-type        task   channel  pkts
-----              ----    -------  ----------  --------        ----   -------  ----
'''00:24:6c:ae:81:68'''  enable  enable   m-portal    80211a-HT-40    tuned  149+     360116135
'''00:24:6c:ae:81:60'''  enable  enable   sap         80211b/g-HT-20  tuned  11       172543704

In the example above, the base bssid for 80211a is "00:24:6c:ae:81:68" and "00:24:6c:ae:81:60"


3. Use "pcap start <base bssid> <ip address of PC with Aruba version of Wireshark installed> <port> 0 1518"

The number after the port is for format. Use 0 pcap for Wireshark and 1 peek for Omnipeek

Optionally you can add the channel at the end. This is good to use when placing the IAP into AM mode so you can capture on one channel instead of scanning.

Example:
pcap start 00:24:6c:ae:81:68 10.163.148.35 5555 0 1518 

4. Use "show pcap" to check the active pcap session

Packet Capture Sessions
-----------------------
pcap-id  filter  type  intf               channel  max-pkts  max-pkt-size  num-pkts  status       url  target
-------  ------  ----  ----               -------  --------  ------------  --------  ------       ---  ------
1                raw   00:24:6c:ae:81:68  149                                        in-progress       10.163.148.35/5555

5. Use "pcap stop <base bssid> <pcap-id> to stop the capture

Example:
pcap stop 00:24:6c:ae:81:68 1

6. Run the Aruba version of Wireshark or Omnipeek and select udp-port=5555


Note: If you reboot the AP these settings are lost and you have to start the pcap again. If you are going to change the AP to an AM you should do that before you start the pcap.

Sean Rynearson | Chief Airhead
Aruba, a Hewlett Packard Enterprise Company
Search Airheads
Showing results for 
Search instead for 
Did you mean: