Wireless Access

Reply
Regular Contributor II

IAP: Using remote pcap with #Wireshark #BMC #MAY-MHC

Hi,

 

When there is same problem with Wireless Network, it is sometime needed to have same pcap trace for troubleshooting !

With new 802.11ac standard, there is no yet airpcap available for make pcap trace !

 

But with Aruba IAP, it is possible to use IAP for remote pcap ! with Wireshark (it is also possible with Aruba Controller !)

 

You need :

  • a IAP (recommanded IAP225, if you when sniffing 802.11ac)
  • a computer with Wireshark (> 1.11.3 !) available here

Connect to the IAP with SSH :

 

ScreenShot138.png

It is the same login and password like web administration page

 

Search the BSSID for access point using show ap monitor status command.

 

ScreenShot131.png

 

in WLAN Interface, there is the list of BSSID (one for 80211b/g and one for 80211/a/n/ac)

In my example, the BSSID is 24:de:c6:8b:12:20

 


Now use pcap command !

 

ScreenShot132.png

 

There is multiple argument in command

pcap start BSSID @IPofcomputer UDPPort format size

  • BSSID is the BSSID for IAP
  • @IPofcomputer is the address IP of computer with Wireshark
  • UDPPort is the UDP Port where the packet is send to the computer (use 5555)
  • format is the format of packet send to the computer (there is pcap, peek, airmagnet, pcap radio or ppi, see after for recommended value)
  • size the max size of packet (use 5000)

 

 

About format, actually airmagnet format is not yet support by Wireshark, it is recommended to use pcap for simple remote, if you need radio info use PPI or pcap radio format

 

The packet capture is start with id 5

 

Now launch Wireshark and go to the preference

ScreenShot133.png

 

Search Aruba ERM preferences

ScreenShot134.png

 

Set the UDP port configured in IAP (5555) and select also the format of captured packets (in my example, pcap (type 0))

 

and launch capture on your computer

 

You should be received all traffic from your network card, it is possible to filter the IAP traffic with following display fitler : udp.port==5555

ScreenShot139.png

 


You can now troubleshooting your wireless network :smileyvery-happy:

 

To display the list of pcap remote, you can use the following command :

show pcap status

 

ScreenShot136.png

 

for stop the capture, in SSH terminal, use the command :

pcap stop BSSID ID

Replace BSSID by the BSSID of IAP and ID by the id number of pcap capture (use show pcap status to found this number)

 

ScreenShot137.png

 

:smileyhappy:

ACMP 6.4 / ACMX #107 / ACCP 6.5
Frequent Contributor II

Re: IAP: Using remote pcap with #Wireshark #BMC #MAY-MHC

This looks promising but I'm not very familiar with IAP configuration, do you need to configure the IAP a specific way and how are you connected to the IAP?

Regular Contributor II

Re: IAP: Using remote pcap with #Wireshark #BMC #MAY-MHC

Hi rosie

 

No specify configuration of IAP and my IAP is connected on my network... :-)

ACMP 6.4 / ACMX #107 / ACCP 6.5

Re: IAP: Using remote pcap with #Wireshark #BMC #MAY-MHC

I'm assuming this can only be done if you are local to the location and not remote.
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Frequent Contributor II

Re: IAP: Using remote pcap with #Wireshark #BMC #MAY-MHC

I remember reading a post shared previously where the laptop was directly connected to the IAP running a specific code.

 

Here is the previous post: http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/AP-225-Sniffer/td-p/142005

Regular Contributor II

Re: IAP: Using remote pcap with #Wireshark #BMC #MAY-MHC


pmonardo wrote:
I'm assuming this can only be done if you are local to the location and not remote.

Yes... but the capture is no in your computer ;-) (and it is possible to route the packet in your network !)

ACMP 6.4 / ACMX #107 / ACCP 6.5

Re: IAP: Using remote pcap with #Wireshark #BMC #MAY-MHC

Great article! You helped solve an immediate need I had.
=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.

Re: IAP: Using remote pcap with #Wireshark #BMC #MAY-MHC

Lately I'm finding that when doing a capture from the controller port 5555 is denied in the datapath session table.  If you change the port to something like 162, it will get through to the wireshark client.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Regular Contributor II

Re: IAP: Using remote pcap with #Wireshark #BMC #MAY-MHC

Strange,

 

No Uplink ACL on AP ? it is Campus or RAP ?

ACMP 6.4 / ACMX #107 / ACCP 6.5

Re: IAP: Using remote pcap with #Wireshark #BMC #MAY-MHC

no uplink ACL.  It was a campus AP on 6.3.x

 

I saw on another post to use one of the standard ports (like 162) to 'trick' the controller into allowing it.

 

I did put this command in as well,

 

ap packet-capture open-port 5555

 but made no difference.  That gets added to the sys-ap-acl and my aps are using the ap-acl which I guess is why it got denied.

 

In any case, it was my lab controller, so maybe things got messed up with so many changes and upgrades/downgrades.  Main thing is I got it to work in the end.

 

:smileyhappy:


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: