You shouldn't need access to the workstation to run a datapath capture - you can do one of the following:
#1 - Setup remote datapath capture and forward to your workstation running wireshark
- In CLI, identify the user's current UAC ( show user-table | include <user's mac or ip> )
- Logon to that controller using " logon <controller's ip> "
- Run the following commands:
-- packet-capture destination ip-address <your IP address>
-- packet-capture datapath mac <user's mac> all
- Launch wireshark on your PC
- Start a capture and include the following filter:
-- (mac == xx:xx:xx:xx:xx:xx || eth.addr == xx:xx:xx:xx:xx:xx || wlan.addr == xx:xx:xx:xx:xx:xx || wlan.ta == xx:xx:xx:xx:xx:xx || wlan.ra == xx:xx:xx:xx:xx:xx || wlan.sa == xx:xx:xx:xx:xx:xx || wlan.da == xx:xx:xx:xx:xx:xx) && !icmp
#2 -Monitor the datapath session table on the controller for the user and for protocol 1 (ICMP)
- In CLI, identify the user's current UAC ( show user-table | include <user's mac or ip> )
- Logon to that controller using " logon <controller's ip> "
- Run the following command:
-- show datapath session table <user's IP> and look for Prot 1.
Hopefully that helps, good luck!
------------------------------
Michael Haring
AirHeads MVP 2017, 2019-2021
------------------------------
Original Message:
Sent: Nov 05, 2021 09:44 AM
From: matt pollard
Subject: ping-flood troubleshooting
Hi,
Can someone possibly give me some advice on ping-flood troubleshooting? I have a user who keeps getting disconnected for a ping-flood and this shows in both the MM and in the controller logs, but it doesnt actually show any details on the event.
I'm trying to find out what the destination address/addresses of the ICMP traffic are, but can't seem to find reference to this.
I don't have local access to the device to run wireshark on it.
thanks
------------------------------
matt
------------------------------