Wireless Access

Reply
Contributor II
Posts: 58
Registered: ‎09-22-2011

Packet Capture on a Client

Hi

 

I´m tring to capture traffic on the AP for a specifc user and send it to my PC (Wireshark) but when i enabled the packet capture option for that client all is good. 

 

PacketCapture.jpg

 

Then on My wireshark I´m using a filter udp.port == 6666 to see the traffic but nothing happens. (My firewall is down and I try it by wirelles and copper.)

 

What could be my problem.? 

 

thanks in advance

 

 

Frequent Contributor I
Posts: 96
Registered: ‎04-09-2007

Re: Packet Capture on a Client

Do you happen to have cpsec enabled? 

If so try sending to port 162 on your wireshark station

 

this might be your problem:

http://community.arubanetworks.com/t5/ArubaOS-and-Mobility-Controllers/AP-packet-capture-with-wireshark/td-p/35447

 

 

 

Contributor II
Posts: 58
Registered: ‎09-22-2011

Re: Packet Capture on a Client

[ Edited ]

Thanks but no, I don´t have the CPsec enabled.

By the way I tried with the udp 162 port. but nothing appears on my wireshark.  =(

 

 

162udp.jpg

CPsec disabled.jpg

Frequent Contributor I
Posts: 96
Registered: ‎04-09-2007

Re: Packet Capture on a Client

OK so not cpsec issue.  Has this worked for you before?   I'd recommend checking ACL rules - make sure the controller is allowed to talk to your wireshark station on that port... and that nothing along the path to your wireshark station would block the udp stream.

 

 

Occasional Contributor I
Posts: 9
Registered: ‎12-17-2010

Re: Packet Capture on a Client

Did you modify the ARUBA_ERM Protocol port under EDIT->PREFERENCES->PROTOCOLS to be port 6666? When using wireshark in this manner you are setting up remote mirroring. If you do not see this option update wireshark to the latest version.  You can then use capture filters to only collect WLAN data or a display filter to exlude non 802.11 traffic.  Hope this helps.

Contributor II
Posts: 58
Registered: ‎09-22-2011

Re: Packet Capture on a Client

First Time I try it =).

There are not ACLs(only an Any to Any allow). between the Devices.

Contributor II
Posts: 58
Registered: ‎09-22-2011

Re: Packet Capture on a Client

I modify the the ARUBA_ERM and now I can see the traffic but now the problem is that I only see traffic comming from the AP ip to my wireshark station ip. And I want to see the real traffic between my AP and the client. It is normal? (On the traffic I could not see the cliets ip or his mac or nothing)

 

Client ip: 10.10.10.5

AP ip: 10.10.10.250

Wiresahrk ip: 10.10.10.2

 

Users port 6666.jpg

 

 

Client.jpg

 

 

Thanks

Occasional Contributor I
Posts: 9
Registered: ‎12-17-2010

Re: Packet Capture on a Client

Not certain what you mean by real data. What you get with the Aruba redirected mirroring is the packets to/from the AP.  You currently have it filtered by STA address so if you want to see all the beacons and probes you will have to filter by bssid. If it is WEP or WPA/WPA 2 encrypted you can add the key/passphrase to Wireshark to decrypt. If you put a display filter WLAN in wireshark you can limit your view to only wireless  packets from the Aruba redirection. The wireless packets will show as Wireshark Protocol column as 802.11 and other data if unencrypted will show as the type of packet it is like ICMP for a Ping.

 

At layer 4 (IP ) the packet would have the addresses of the AP and your wireshark client because this a redirect for port mirroring from the AP. The Aruba section of the packet  (likely at the bottom) will show the encapsulated 802.11 L2 SA & DA information.

In the example attached the source address is a IPHONE and the destination address is an Aruba 105.

 

 

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: