Wireless Access

I've used many times wireshark to capture wireless traffic streamed from an AP, but just wondering if it is possible using tcpdump on a linux box, and what the command syntax would be?

I'm just getting a load of junk cause it's all encapsulated.

actually, looks like it was the old version of wireshark not reading it properly.

Seems what I was doing was correct anyway.  For reference, I ran this on the box,

tcpdump -i eth0 -w capture.pcapng  "udp and (src port 5555)"

Add flags "-s 0 -U" for tcpdump to get the whole packets and to milk the last packets from the buffer.

Also there is a cli-based companion to wireshark called "tshark" you can use for features not present in tcpdump.

I've never been able to get stock wireshark to decapsulate inside the PAPI wrapper.  Is there a way other than running a vendor-specific build?

bjulin,

The production version of wireshark also has the Aruba decoder.

As far as I've been able to get that to work, I can decode the remote monitoring encapsulation, but I can't get it to decode the actual frames, other than 802.11 control frames.  They always just show up as "QoS Data"

See attached.

bjulin,

Let's make sure you have all your ducks lined up.  Here is what you will need:

- Wired Laptop with the latest Wireshark installed

- On access point configured as an Air Monitor

- Wired connectivity between the Air Monitor and the Wired Laptop.

Procedure:

First, make sure the version of wireshark has the Aruba ERM:

Edit> Wireshark Preferences => Protocols => Aruba ERM.  Make sure the port is 5555.

Secondly, make sure the device you are capturing is an AM

Next, setup wireshark to do a packet capture on the wired interface of that laptop.  in the filter box, just like you typed, type "aruba_erm" so that we only get Aruba packet capture traffic.

On the commandline of the controller, you will need (1) The ip address of the air monitor (2) the channel you want to capture on (3) the ip address of the wired laptop.  To start a packet capture, first you need to tune the AM so that it is only capturing on the channel you want it to.  Below I have the air monitor with the ip address of .116 tuned to channel 161 (more on how to capture 40mhz and 80 mhz channels later)

am scan 192.168.1.116 161

Next, I need to stream all of the traffic from that access point on that radio to the wired laptop.  Below the AP-Name is the name of the Air monitor.  The ip address (.72) is the ip address of my wired laptop.  5555 matches the ERM port I am using in wireshark.  The number after Radio must be 0 if I am capturing 5ghz and 1 if I am capturing 2.4ghz:

ap packet-capture raw-start ap-name Office-135 192.168.1.72 5555 0 radio 0

This is what I see from wireshark on my mac:

If you want to capture a 40mhz channel you would do this:

am scan 192.168.1.116 36+

If you want to capture a 80mhz channel (802.11ac AP required), you would do this:

am scan 192.168.1.116 36E

I hope this helps.

You won't be able to see inside a QoS Data packet unless you capture on the controller after the 802.11 -> 802.3 process has occured.

Yes, like Tim said, you just see encrypted frames in the Air as captured.  There are other packet captures that can be done on the controller side to see the decrypted client traffic (Tim's link to that is in his OTHER post above :)

If you'll look at the screenshot I posted you'l notice that the trace is indeed from a controller-side/ERM capture, and that the payload traffic is not encrypted.

What I am referring to is that Wireshark does not show me the ARP packet that is in the highlighted region (this particular screenshot shows a corrupted ARP packet, but the behavior is the same on pristine payload.)  Instead of showing a "ARP" packet in the tree and allowing me to browse through the fields of the ARP packet, it just shows "QoS Data".  You can manually parse through the data there, but it is a heck of a lot more convenient if Wireshark does that.

The reason it does not appears to be something with the header of the encapsulated 802.11 frame, which either is not a standard 802.11 header or wireshark has not been told to attach an 802.11 dissector to that chunk of data.  I don't know if the ERP dissector can be made to tell wireshark to do that of if there is a way to do it through custom dissectors.  I wasn't able to figure out the latter, and I've figured out how to configure some pretty tricky GRE dissectors so I'm not a total amateur in that department.

bjulin,

Please state the exact steps you used to capture so everyone can know what you have.

Pretty much the same as the instructions you posted except:

1) the ap was not in AM mode, rather carrying traffic

2) capture at the ERM receiver was done via tshark

You will note that it looks like the screenshot posted in the instructions has the same problem.

Missing?  Nothing's missing.  Sorry if there was some confusion because I hijacked the thread a bit after it was resolved.  No content is missing from the capture; my question was simply how to get Wireshark to decode the content I got.

bjulin,

The frames you are receiving are copies of what is seen in the air.  If you are capturing an encrypted network in the air, they will be encrypted in wireshark.  The aruba decoder is just something to to remove the encapsulation needed to transport the frames from the access point to the laptop.  You are left with encrypted frames, if that is how they are seen in the air.

No, they are quite definitely not encrypted frames.  This is a controller-side capture from a campus-mode AP in decrypt-tunnel mode of client traffic that is traversing the AP.  Look at this new sceenshot attached.  Does that look encrypted to you?

Does TAC handle wireshark ERM dissector code?

(and no 4pm on friday is never an excellent time for that :-)

hi Brian

I can work this with you, contact me anytime via my username here @ arubanetworks dot com. Send me the pcap and let me know what exact version of wireshark you are using.

regards

-jeff