How-to: IAP wireless packet capture

By j.easley posted Sep 26, 2014 07:19 AM


Aruba Instant version and above have the pcap command to do the wireless packet capture on the IAP. This command is not expose on the Web UI and have to run from the CLI.


1. Enable Telnet option to the IAP. By default Telnet or terminal access is disable.


2. Use "show ap monitor status" to identify the base BSSID.

WLAN Interface
bssid              scan    monitor  probe-type  phy-type        task   channel  pkts
-----              ----    -------  ----------  --------        ----   -------  ----
'''00:24:6c:ae:81:68'''  enable  enable   m-portal    80211a-HT-40    tuned  149+     360116135
'''00:24:6c:ae:81:60'''  enable  enable   sap         80211b/g-HT-20  tuned  11       172543704

In the example above, the base bssid for 80211a is "00:24:6c:ae:81:68" and "00:24:6c:ae:81:60"

3. Use "pcap start <base bssid> <ip address of PC with Aruba version of Wireshark installed> <port> 0 1518"

The number after the port is for format. Use 0 pcap for Wireshark and 1 peek for Omnipeek

Optionally you can add the channel at the end. This is good to use when placing the IAP into AM mode so you can capture on one channel instead of scanning.

pcap start 00:24:6c:ae:81:68 5555 0 1518 

4. Use "show pcap" to check the active pcap session

Packet Capture Sessions
pcap-id  filter  type  intf               channel  max-pkts  max-pkt-size  num-pkts  status       url  target
-------  ------  ----  ----               -------  --------  ------------  --------  ------       ---  ------
1                raw   00:24:6c:ae:81:68  149                                        in-progress

5. Use "pcap stop <base bssid> <pcap-id> to stop the capture

pcap stop 00:24:6c:ae:81:68 1

6. Run the Aruba version of Wireshark on the PC, on the capture interface, select ARUBA udp-port=5555

Note: If you reboot the AP these settings are lost and you have to start the pcap again. If you are going to change the AP to an AM you should do that before you start the pcap.



Sep 23, 2019 03:12 AM

Remember that this only works if the iAP is in monitor mode

Jul 15, 2015 03:57 PM

The latest production builds of Wireshark will interpret the packet stream quite effectively. I would recommend that users not use the very old fork which Aruba presents on their Tools and Resources page. The feature enhancements and bug fixes in Wireshark make the "live" version much safer and more robust than the un-updated version on the Aruba site. Follow the same instructions, just use the latest Wireshark.