Wireless Access

Reply
Occasional Contributor II

Wireshark capture

Hi,

 

Is there a way I can decrypt captures taken from a SSID that's using eap-tls authentication?

 

I got the RAP streaming data capture to my pc running wireshark w/ ERM support. I do get the packets but they are encrypted. (see attachment)

 

My goal is to determine what exactly my client (iPad) is talking to over the internet.

 

Thanks,

ckc

Aruba

Re: Wireshark capture

The capture you have attached does not show any user traffic, encrypted or not... it's all management frames (at least when I view it on my tablet here).

 

When i have encrypted networks the easiest way I typically use is to port span/mirror after the traffic leaves the controller .   e.g. at the egress interface/trunk.   There are other ways, but this works all the time.

 

 

JF

Aruba

Re: Wireshark capture

BTW, a quick way to understand where the iPAD (or any client) is communicating would be to issue a  ' show datapath session table | include x.x.x.x '

 

If the client is 'tunneled' to the controller this command will show you all the traffic as it arrives/departs from the controller from the client at ip address x.x.x.x.

 

Handy, if all you want to do is understand what destinations that iPAD is going to for a first cut.

 

You will notice all Apple devices communicate to 17.x.x.x   (The Apple mother ship) on a routine basis.  That is usually an eye opener for many that didn't know that natively happens. ;)

 

JF

Occasional Contributor II

Re: Wireshark capture

Thanks for the tips JF.

 

ckc

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: