Reply
Highlighted
Aruba Employee

Re: How do we do packet capturing on ArubaOS?

I just installed the latest development release of Wireshark 1.4.0rc1 and it does have Aruba ERM as a supported protocol for decoding. Unless I'm looking at something incorrectly, that's all it has.

There's no integrated interface for remotely capturing packets from an Aruba controller. I'm pretty sure you're going to have to stick with the Aruba versions of Ethereal or Wireshark.
Guru Elite

Packet Capture


I just installed the latest development release of Wireshark 1.4.0rc1 and it does have Aruba ERM as a supported protocol for decoding. Unless I'm looking at something incorrectly, that's all it has.

There's no integrated interface for remotely capturing packets from an Aruba controller. I'm pretty sure you're going to have to stick with the Aruba versions of Ethereal or Wireshark.




You would then initiate a packet capture on the Aruba controller for a client, point it to your management station over port 5555, where it will be decoded by wireshark. You would also need to ensure that your management station is routable to the AP, because it sends the traffic directly to your station. You will also have to permit port UDP 5555 in the ap acl:

ip access-list session ap-acl
any any udp 5555 permit



Attached is "packet capturing options in Aruba Networks"

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba Technical Webinars
Highlighted
Aruba Employee

Re: How do we do packet capturing on ArubaOS?

Ok, that makes sense. I was just always used to seeing an interface for ERM.
Highlighted
Occasional Contributor II

Re: How do we do packet capturing on ArubaOS?

I have been running a capture from a client, the problem is that I am only seeing Layer 2 info in the capture. There is no IP address on the controller for this SSID, if I temporarily added an IP address would I see the full L3 data?
Highlighted
Guru Elite

Encrypted

Is the SSID encrypted? The pcap is only sending the raw 802.11 data, not the unencrypted packets. One way see the unencrypted packets, you would do a port monitor of the controller's egress port and do an ethernet packet capture of that port:

(Aruba3600) #configure t
Enter Configuration commands, one per line. End with CNTL/Z

(Aruba3600) (config) #interface gigabitethernet 1/6
(Aruba3600) (config-if)#port monitor gigabitethernet 1/4

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba Technical Webinars
Highlighted
Occasional Contributor II

Re: How do we do packet capturing on ArubaOS?

The SSID is encrypted however, this is a remote site with no local support person :-(
Is there a way to decrypt the packets on the controller when doing an AP or client capture?
Highlighted
Occasional Contributor II

Re: How do we do packet capturing on ArubaOS?

Hi there again - I've managed to sort it out thanks..
Using my original capture file that was encrypted, I loaded it into Wireshark v1.4.0 (this has the Aruba ERM by the way!!)
Then you do the following:-
Go to http://www.wireshark.org/tools/wpa-psk.html
enter your passphrase and SSID, and hit 'Generate PSK' button
it'll spit out a string such as 7777777777777777777777777777777


Wireshark Preferences
Go to Edit -> Preferences to open the Preferences dialog box.
Expand Protocols and select IEEE 802.11.
Select: Enable decryption
In key #1 paste in your string preceeded by wpa-psk - i.e
Key #1: paste
wpa-psk:7777777777777777777777777777777

Bang decrypted data!!
It works with WPA2-AES encryption as well
Highlighted
Frequent Contributor I

how do i capture with the new version of wireshark


Hi
With the last release of Wireshark, there is support of Aruba ERM (Encapsultated remote Mirroring)

To activate this option, in Wireshark Preferences => Protocols => Aruba ERM => Aruba ERM Ports Number : 5555

:)




I have wireshark version 1.4.2 and I have set the port to 5555 in preferences you specified, I have created the capture on the controller for that AP and it shows the packet capture in progress and they are getting sent to my ip address. The wireshark capture laptop is on the wireless network 172.16.23.x but I am not seeing any packets from the AP. Could the fact that the AP is a remote AP be why i'm not seeing the packets? Or do I need to setup my wireshark laptop to see those packets?
Highlighted
Guru Elite

Re: How do we do packet capturing on ArubaOS?

Yes. The problem is that it is a remote AP. The remote AP gets an "inner" ip address on the controller and that is the source of the captured frames when they are sent out. If the inner ip address of the AP (the one distributed from the pool) is not routable on your network, you will never see the frames.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba Technical Webinars
Highlighted
Frequent Contributor I

Re: How do we do packet capturing on ArubaOS?




How do I know which acl my AP is using?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: