IAP: Using remote pcap with #Wireshark

By j.easley Unpublished


Tutorial by: alagoutte


When there is same problem with Wireless Network, it is sometime needed to have same pcap trace for troubleshooting !

With new 802.11ac standard, there is no yet airpcap available for make pcap trace !


But with Aruba IAP, it is possible to use IAP for remote pcap ! with Wireshark (it is also possible with Aruba Controller !)


You need :

  • a IAP (recommanded IAP225, if you when sniffing 802.11ac)
  • a computer with Wireshark (> 1.11.3 !) available here

Connect to the IAP with SSH :



It is the same login and password like web administration page


Search the BSSID for access point using show ap monitor status command.




in WLAN Interface, there is the list of BSSID (one for 80211b/g and one for 80211/a/n/ac)

In my example, the BSSID is 24:de:c6:8b:12:20


Now use pcap command !




There is multiple argument in command

pcap start BSSID @IPofcomputer UDPPort format size

  • BSSID is the BSSID for IAP
  • @IPofcomputer is the address IP of computer with Wireshark
  • UDPPort is the UDP Port where the packet is send to the computer (use 5555)
  • format is the format of packet send to the computer (there is pcap, peek, airmagnet, pcap radio or ppi, see after for recommended value)
  • size the max size of packet (use 5000)



About format, actually airmagnet format is not yet support by Wireshark, it is recommended to use pcap for simple remote, if you need radio info use PPI or pcap radio format


The packet capture is start with id 5


Now launch Wireshark and go to the preference



Search Aruba ERM preferences



Set the UDP port configured in IAP (5555) and select also the format of captured packets (in my example,pcap (type 0))


and launch capture on your computer


You should be received all traffic from your network card, it is possible to filter the IAP traffic with following display fitler : udp.port==5555



You can now troubleshooting your wireless network :smileyvery-happy:


To display the list of pcap remote, you can use the following command :

show pcap status




for stop the capture, in SSH terminal, use the command :

pcap stop BSSID ID

Replace BSSID by the BSSID of IAP and ID by the id number of pcap capture (use show pcap status to found this number)






Aug 18, 2022 03:49 PM

Thanks to j.easley and others for this information. Technically it's a bit of a "hacked" solution, because the IAP sends packets to UDP Port 5555 and the PC (with Wireshark) responds to every packet with a ICMP Unreachable message. I believe that there was a remote capture driver (rpcapd, udpdump, but, these tools have been abandoned over time.

Anyway, just ignore the ICMP messages. I would recommend to use a capture filter with "udp port 5555" to avoid capturing any unwanted traffic.

With recent versions of Wireshark, you don't specify the format in the Wireshark preferences for ARUBA_ERM protocol, but only the UDP port which is typically 5555.

The tricky part is that you have to specify the matching format in Wireshark "Decode as...". Here you see the same options as in pcap on the IAP (5th parameter as shown above). After setting the format, you'll see the IEEE 802.11 wireless packets.

Oct 17, 2018 12:20 PM

Hi, I did it like described, it works fine but VHT80 (channel 36,40,44,48) I am not able to see any data packet of the client. IAP 225 set to monitor mode to sniff data transfer from 802.1ac Client to AP 433 MBit/s 1x1 MIMO.

Pcap with channel 36 show beacons, broadcast frames and other stuff, but no data.

Checked also channel 42, no packet.

20 MHz channel width works aslo fine, beacons and data.


Any idea how to capture HT40 or VHT80 connections ?