Requirement:
Requirement: Controller should be minimum AOS: 6.2 or above for using the command provided in the article.
Solution:From the Command Line Interface of the controller we have the following options to do an Air packet capture for a particular AP.
1. raw-start Stream raw packets to external viewer
2. Stop Stop a Packet Capture session
3. pause Pause a Packet Capture session
4. resume Resume a Packet Capture session
Configuration:Syntax:
This command is executable from the Privilage Mode and no available in Configuration Mode.
(Aruba) #ap packet-capture <raw-start/ Stop/ pause/ resume> <ap-name/ ip-addr/ ip6-addr> <target-ip> <target-port> <format> radio <0/1> (Optional: <Channel/ maxlen>)
target-ip IP Address of host to send frames to(Ip address of Computer Running Wireshark with ARUBA_ERM on UDP port 5555)
target-port UDP Port Number to which to send frames to(We use UDP 5555)
format 0 for pcap, 1 for peek, 2 for airmagnet, 3 for pcap+radio header, 4 for ppi, 5 for peek with 11n/11ac header
radio 0 for "a" and 1 for "b/g"
Optional:
channel Channel to tune into to capture packets
maxlen Maximum length of 802.11 frame to include in the capture
Example:
To Start:
(Aruba) #ap packet-capture raw-start ip-addr 172.26.182.60 142.20.224.190 5555 0 radio 0
Packet capture has started for pcap-id:5
To Stop:
(Aruba) #ap packet-capture stop ip-addr 172.26.182.60 5 radio 0
Here the number 5 represents the pcap-id. When you start a capture the pcap-id would be generated.
To Pause:
(Aruba) #ap packet-capture pause ip-addr 172.26.182.60 5 radio 0
Here the number 5 represents the pcap-id. When you start a capture the pcap-id would be generated.
To Resume:
(Aruba) #ap packet-capture resume ip-addr 172.26.182.60 5 radio 0
Here the number 5 represents the pcap-id. When you start a capture the pcap-id would be generated.
On Computer End:
On your laptop start the Aruba version of Ethereal(Latest Version Wireshark 2.0.3 includes Aruba Ethereal by default). Click Capture and Interfaces. You will see packets active on your Ethernet Interface Click ‘Prepare’ on your Ethernet Interface.Now you can select which of the Aruba Ports to capture on. Select 5555 as we are copying to the port from the AP
VerificationTo View the status of the packet capture
(Aruba) #show ap packet-capture status ip-addr 172.26.182.60
Packet Capture Sessions at AP-1224, IP 172.26.182.60
-----------------------------------------------------
pcap-id filter type intf channel max-pkts max-pkt-size num-pkts status url target Radio ID
------- ------ ---- ---- ------- -------- ------------ -------- ------ --- ------ --------
5 raw 6c:f3:7f:f0:61:90 36 0 0 327 in-progress 142.20.224.190/5555 0