ArubaOS and Controllers

Reply
Frequent Contributor I

How do we do packet capturing on ArubaOS?

Hi All,
I did packet capturing/sniffing on ethereal and wireshark, however i need to do packet capturing on Aruba AP.
Is this possible?
Anyone did packet capturing on the Aruba AP before?
I couldn't find the procedure in Aruba....
Can someone here help?
Thanks in advance.
Cheers,
Michael
Regular Contributor I

Re: How do we do packet capturing on ArubaOS?

which OS you using ? i found some procedure where you can tell the AP's to send the sniff packets to some IP adress. it sends via port 5555 , but i didnt find the way to tell etherreal/wireshark to handle those incoming remote-packets.

anyone has an idea?
Guru Elite

Aruba's Version of Ethereal

To do packet captures, you need to first download Aruba's Version of ethereal/wireshark under the tools menu of the support site. Install it on a Windows PC and set it up to capture using an interface called ARUBA-UDP-PORT-5555 (only exists on Aruba's version of ethereal). Next, initiate a packet capture on the Aruba Controller using the client screen and cor AP screen and clicking the packet capture button. On the next screen make sure the "Interactive" Option is checked, the target IP is the wired IP address of the PC with ethereal/wireshark on it and the port is 5555. Click on START and it should stream the packets to the PC.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I

Re: How do we do packet capturing on ArubaOS?

isnt there a sort of plugin for wireshark instead of installing this "older" version from the aruba website , mostly those network engineers got already their own preconfigured wireshark version and dont want to uninstall/install another older one ?

some other ideas?
Guru Elite

Wireshark

Honestly,

That is not my area of expertise, so I will have to defer to someone who knows how it is packaged.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: How do we do packet capturing on ArubaOS?

Thank you Colin Joseph.
Your information is very useful for us and worked well.

I have tested the Dos attack using 2 aruba controllers and 2AMs each other and captured packet at AP.
I got 2 wireshark files those are testing with Dosing and without Dosing.
Could somebody please kindly check my testing?
I would like to know my capturing result whether ok or not to proof about De-authentication and Dis-association attack.

Please see the attachment.

Best Regards.
Guru Elite

Disassociation

The question is, what are you trying to prove?

In most disassociation attacks, the source address of the attacker is spoofed, so it is very hard to follow without knowing which mac addresses are which. It would look like the client says that it is roaming away.

Again, what are you trying to prove?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee

Re: How do we do packet capturing on ArubaOS?


The question is, what are you trying to prove?

In most disassociation attacks, the source address of the attacker is spoofed, so it is very hard to follow without knowing which mac addresses are which. It would look like the client says that it is roaming away.

Again, what are you trying to prove?






If you are trying to prove that you are dos'n you can see the deauth packets in the capture you sent up. In this jpg I uploaded I selected one of them.
Regular Contributor II

Re: How do we do packet capturing on ArubaOS?


isnt there a sort of plugin for wireshark instead of installing this "older" version from the aruba website , mostly those network engineers got already their own preconfigured wireshark version and dont want to uninstall/install another older one ?

some other ideas?




Hi
With the last release of Wireshark, there is support of Aruba ERM (Encapsultated remote Mirroring)

To activate this option, in Wireshark Preferences => Protocols => Aruba ERM => Aruba ERM Ports Number : 5555

:)
ACMP 6.4 / ACMX #107 / ACCP 6.5
Guru Elite

Wireshark

Thanks for that tip!


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: