Wireless Access

Reply

tcpdump syntax for equivalent of wireshark capture from AP

I've used many times wireshark to capture wireless traffic streamed from an AP, but just wondering if it is possible using tcpdump on a linux box, and what the command syntax would be?

 

I'm just getting a load of junk cause it's all encapsulated.

 

 


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Guru Elite

Re: tcpdump syntax for equivalent of wireshark capture from AP

Re: tcpdump syntax for equivalent of wireshark capture from AP

actually, looks like it was the old version of wireshark not reading it properly.

 

Seems what I was doing was correct anyway.  For reference, I ran this on the box,

 

tcpdump -i eth0 -w capture.pcapng  "udp and (src port 5555)"


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Super Contributor I

Re: tcpdump syntax for equivalent of wireshark capture from AP

 

Add flags "-s 0 -U" for tcpdump to get the whole packets and to milk the last packets from the buffer.

 

Also there is a cli-based companion to wireshark called "tshark" you can use for features not present in tcpdump.

 

I've never been able to get stock wireshark to decapsulate inside the PAPI wrapper.  Is there a way other than running a vendor-specific build?

 

Guru Elite

Re: tcpdump syntax for equivalent of wireshark capture from AP

bjulin,

 

The production version of wireshark also has the Aruba decoder.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor I

Re: tcpdump syntax for equivalent of wireshark capture from AP

 

As far as I've been able to get that to work, I can decode the remote monitoring encapsulation, but I can't get it to decode the actual frames, other than 802.11 control frames.  They always just show up as "QoS Data"

 

See attached.

 

 

 

 

 

Guru Elite

Re: tcpdump syntax for equivalent of wireshark capture from AP

bjulin,

 

Let's make sure you have all your ducks lined up.  Here is what you will need:

 

- Wired Laptop with the latest Wireshark installed

- On access point configured as an Air Monitor

- Wired connectivity between the Air Monitor and the Wired Laptop.

 

Procedure:

 

First, make sure the version of wireshark has the Aruba ERM:

 

Edit> Wireshark Preferences => Protocols => Aruba ERM.  Make sure the port is 5555.

 

Secondly, make sure the device you are capturing is an AM

 

Next, setup wireshark to do a packet capture on the wired interface of that laptop.  in the filter box, just like you typed, type "aruba_erm" so that we only get Aruba packet capture traffic.

 

On the commandline of the controller, you will need (1) The ip address of the air monitor (2) the channel you want to capture on (3) the ip address of the wired laptop.  To start a packet capture, first you need to tune the AM so that it is only capturing on the channel you want it to.  Below I have the air monitor with the ip address of .116 tuned to channel 161 (more on how to capture 40mhz and 80 mhz channels later)

 

am scan 192.168.1.116 161

 

Next, I need to stream all of the traffic from that access point on that radio to the wired laptop.  Below the AP-Name is the name of the Air monitor.  The ip address (.72) is the ip address of my wired laptop.  5555 matches the ERM port I am using in wireshark.  The number after Radio must be 0 if I am capturing 5ghz and 1 if I am capturing 2.4ghz:

 

ap packet-capture raw-start ap-name Office-135 192.168.1.72 5555 0 radio 0

 

This is what I see from wireshark on my mac:

 

wireshark.png

 

If you want to capture a 40mhz channel you would do this:

 

am scan 192.168.1.116 36+

 

If you want to capture a 80mhz channel (802.11ac AP required), you would do this:

 

am scan 192.168.1.116 36E

 

 

I hope this helps.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite

Re: tcpdump syntax for equivalent of wireshark capture from AP

You won't be able to see inside a QoS Data packet unless you capture on the controller after the 802.11 -> 802.3 process has occured.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite

Re: tcpdump syntax for equivalent of wireshark capture from AP

Yes, like Tim said, you just see encrypted frames in the Air as captured.  There are other packet captures that can be done on the controller side to see the decrypted client traffic (Tim's link to that is in his OTHER post above :)

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor I

Re: tcpdump syntax for equivalent of wireshark capture from AP

 

If you'll look at the screenshot I posted you'l notice that the trace is indeed from a controller-side/ERM capture, and that the payload traffic is not encrypted.

 

What I am referring to is that Wireshark does not show me the ARP packet that is in the highlighted region (this particular screenshot shows a corrupted ARP packet, but the behavior is the same on pristine payload.)  Instead of showing a "ARP" packet in the tree and allowing me to browse through the fields of the ARP packet, it just shows "QoS Data".  You can manually parse through the data there, but it is a heck of a lot more convenient if Wireshark does that.

 

The reason it does not appears to be something with the header of the encapsulated 802.11 frame, which either is not a standard 802.11 header or wireshark has not been told to attach an 802.11 dissector to that chunk of data.  I don't know if the ERP dissector can be made to tell wireshark to do that of if there is a way to do it through custom dissectors.  I wasn't able to figure out the latter, and I've figured out how to configure some pretty tricky GRE dissectors so I'm not a total amateur in that department.

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: