08-23-2013 10:59 AM
I´m tring to capture traffic on the AP for a specifc user and send it to my PC (Wireshark) but when i enabled the packet capture option for that client all is good.
Then on My wireshark I´m using a filter udp.port == 6666 to see the traffic but nothing happens. (My firewall is down and I try it by wirelles and copper.)
What could be my problem.?
thanks in advance
08-23-2013 01:51 PM
Do you happen to have cpsec enabled?
If so try sending to port 162 on your wireshark station
this might be your problem:
08-24-2013 06:19 PM
OK so not cpsec issue. Has this worked for you before? I'd recommend checking ACL rules - make sure the controller is allowed to talk to your wireshark station on that port... and that nothing along the path to your wireshark station would block the udp stream.
08-27-2013 10:53 AM
Did you modify the ARUBA_ERM Protocol port under EDIT->PREFERENCES->PROTOCOLS to be port 6666? When using wireshark in this manner you are setting up remote mirroring. If you do not see this option update wireshark to the latest version. You can then use capture filters to only collect WLAN data or a display filter to exlude non 802.11 traffic. Hope this helps.
08-27-2013 11:57 AM
I modify the the ARUBA_ERM and now I can see the traffic but now the problem is that I only see traffic comming from the AP ip to my wireshark station ip. And I want to see the real traffic between my AP and the client. It is normal? (On the traffic I could not see the cliets ip or his mac or nothing)
Client ip: 10.10.10.5
AP ip: 10.10.10.250
Wiresahrk ip: 10.10.10.2
08-27-2013 12:57 PM
Not certain what you mean by real data. What you get with the Aruba redirected mirroring is the packets to/from the AP. You currently have it filtered by STA address so if you want to see all the beacons and probes you will have to filter by bssid. If it is WEP or WPA/WPA 2 encrypted you can add the key/passphrase to Wireshark to decrypt. If you put a display filter WLAN in wireshark you can limit your view to only wireless packets from the Aruba redirection. The wireless packets will show as Wireshark Protocol column as 802.11 and other data if unencrypted will show as the type of packet it is like ICMP for a Ping.
At layer 4 (IP ) the packet would have the addresses of the AP and your wireshark client because this a redirect for port mirroring from the AP. The Aruba section of the packet (likely at the bottom) will show the encapsulated 802.11 L2 SA & DA information.
In the example attached the source address is a IPHONE and the destination address is an Aruba 105.