Wireless Access

Reply
MVP
Posts: 1,110
Registered: ‎10-11-2011

Packet Capture - Seeing L2 Traffic Only

Am I only supposed to see L2 traffic when performing a client packet capture?  I need to capture all communication from a wireless client.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 20,773
Registered: ‎03-29-2007

Re: Packet Capture - Seeing L2 Traffic Only

[ Edited ]

How are you doing the packet capture?

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: Packet Capture - Seeing L2 Traffic Only

I'm using the controller GUI. Selecting a client then doing a raw packet capture to my computer with Wireshark running. I have the latest version of Wireshark with the Aruba display filter set.
=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 20,773
Registered: ‎03-29-2007

Re: Packet Capture - Seeing L2 Traffic Only

Correct. That is the layer 2 traffic as if you were standing next to the ap. If you are using encryption, you will see encrypted traffic.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: Packet Capture - Seeing L2 Traffic Only

I'm not sure I see the point in this feature if the traffic is encrypted.  I need to be able to view the unecrypted traffic to/from a wireless client.  Do I have any other options for capturing the clients wireless traffic?  I'm trying to avoid installing Wireshark on the clients PC.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 20,773
Registered: ‎03-29-2007

Re: Packet Capture - Seeing L2 Traffic Only

A client has to connect layer2 before it even gets an ip address and the exchanges that occur at that level are very important to the troubleshooting process.  This is frequently the method used to diagnose clients that cannot connect or have problems staying connected.

 

To see what other methods are available for packet capture, please see the document here:  http://community.arubanetworks.com/aruba/attachments/aruba/115/160/1/Packet+Capturing+Options+with+Aruba+Wireless+Networks.pdf



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: Packet Capture - Seeing L2 Traffic Only

Thanks for reply.  That makes sense.

 

As a sidenote,I was troubleshooting something with Wireshark on my computer this morning and noticed an unusual amount of traffic being displayed.  It's all "Aruba encapsulated remote mirroring" packets and believe this is from the client that I ran a packet capture on yesterday.  I must have forgot to stop the packet capture.  From the controller GUI, I went to the client page, selected the user, and clicked packet capture to see if I could stop the capture but nothing happens when I clicked the button.  If I CLI into the controller and run "show packet-capture", all packet filtering is disabled.  How can I stop this packet capture???

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 20,773
Registered: ‎03-29-2007

Re: Packet Capture - Seeing L2 Traffic Only

You cannot see if user packet captures are active globally.   When you start a packet capture this way, the controller sends a message to the AP to stream pcap traffic directly from the AP to the management station, without controller intervention.  The controller does not keep track of what streams were initiated or are in progress, at length.  You would reboot the access point to stop this, or if you know what ap, you would use the commandline "pcap stop" command.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: Packet Capture - Seeing L2 Traffic Only

I logged back into the controller and was able to see the packet capture still running and stop it.  Not sure why it wouldn't let me get that far last time.   Good to know I can log into the AP next time to stop it in case I have this problem again.

 

Thanks!

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Search Airheads
Showing results for 
Search instead for 
Did you mean: