it's still not quite clear to me what you're trying to capture exactly, because that dictates which of two methods you are going to use within the controller. If you want to see ACKs, RTS/CTS and all that, you will need the "raw capture" method.
try invoking from the CLI
>> first open port (once per reboot of the controller)
"ap packet-capture open-port 5555"
>> start the capture (here on ap215, relay to 192.168.1.3, port 555, type 1, radio 0 (5ghz)
"ap packet-capture raw-start ap-name ap215 192.168.1.3 5555 1 radio 0"
This assumes that my capture AP (ap215 here) is on the channel that i want to capture on, or is indeed the serving AP. Note that an AP which is serving clients cannot correct capture all TX frames and indeed has wrong FCS on tx frames that are captured (see the thread i referenced earlier).
If you want to narrow on a specific client, get it all into wireshark (make sure to tell wirshark you are using type 1, ie. edit -> preferences-> protocols -> aruba_erm -> capture type 1) and then filter using "wlan.addr == <mac addr in : format>"
I actually have never used the client mac as a filter in the webUI 'interactive capture' - not because it doesn't work but because i dont want to miss the bigger picture by filtering down the capture. Having said that, it does work, maybe your browser is involved in the grief, let's try it this way. note that this catpure uses type 0 (pcap/ethereal) and you will need to use the above steps to set it to type 0 not type 1.
a> find out the IP of the AP where the client is active (i.e. show ap association)
b> run "ap packet-capture open-port 5555" if you havent already done so
c> run the following "ap packet-capture interactive ap-name ap205 "(sta == 5c:c5:d4:00:11:22 and type == all)" 192.168.1.3 5555 radio 0"
here we are sending to 192.168.1.3 @ port 5555 and the capture is executed on radio 0 (5ghz).
Now, here is an alternative. Potentially you are just interested in the packets the client is sending, maybe want to remotely look into DHCP or DNS or captive portal etc. You can use the following feature to send a stream of both pre and post encrypted packets from the datapath to wireshark. this type of capture is missing some info, i.e. you dont see beacons, probes, acks etc - this is more or less just tcpip in, wlan packets out.
(sg-7030) # packet-capture destination ip-address 192.168.1.3
(sg-7030) # packet-capture datapath wifi-client 00:11:22:33:44:55 all
...
(sg-7030)# no packet-capture datapath wifi-client 00:11:22:33:44:55 all
The datapath will put a GRE header on this and send to wireshark, recent wireshark versions will automatically decode this for you.
Since the example above specified "all" you can see both the incoming tcpip packet and then the subsequent encrypted (assuming psk or dot1x) wlan packet. You can also redirect the packets to the flash so they can be exported within "tar logs" or scp/ftp'ed out of the flash.
hth
-jeff