Question: How do I configure the Wireshark for remote packet capture (on Windows, Mac OSX, and Linux)?
Product and Software: This article applies to all Aruba controllers and ArubaOS versions.
To configure the Wireshark for remote packet capture, follow these steps:
1) Start Wireshark as usual. Choose Capture > Options. Choose the wired port interface (en0 on Mac OSX, or eth0 on Linux). Apply the capture filter as udp port 5000 or whatever port you want. Promiscuous mode is not required. Click Start.
2) On the controller, start the raw packet capture from WebUI or CLI. Choose Airopeek format for the remote packet capture. On the CLI, issue this command:
pcap raw-start <am_ip> <Macintosh_ip> 5000 1 bssid <a_or_g_base_bssid>
Note: 5000 is the port you chose in step 1, and "1" is the Airopeek format. Remember the raw-pcap ID so that you can stop the remote packet capture.
3) You should be seeing some traffic arriving at your Wireshark. Right-click any frame, and choose Decode as. On the Transport tab, pick up UDP destination (5000) port as AIROPEEK, and click OK.
Now the Wireshark is able to present the remote pcap as Wi-Fi frames.
4) You can stop and start the capture again and Wireshark will remember this specific decoding until you quit Wireshark.
5) Stop the remote packet capture when it is finished by issuing this command:
pcap stop <am_ip> <pcap_id>