Why don?t some packets, such as ACKs or CTS frames, show up in the AP raw packet capture? And how does AP packet capture work?

Aruba Employee
Aruba Employee

Product and Software: This article applies to all ArubaOS versions.

When an AP is doing raw packet capture, it sends frames in both directions (tx and rx) to the capture. There is no guarantee that the sequence that shows up in the raw packet capture from the AP is the same as the sequence on the air. This is due to scheduling of various tasklets in the WLAN driver within the Linux kernel and it is very difficult to get this sequence right.

The frames that get sent to the raw packet capture are those that are processed by a piece of software, which includes all frames that are queued up for transmission by the driver and all frames that are received by the radio. The hardware automatically generates frames on the tx side, for example, typically ACKs and CTS frames generated by the AP. These frames will never show up in the raw packet capture because no piece of software ever processes such frames.

However, an AP configured as an air monitor does not behave this way. An AM should collect more or less the same amount of information as a wireless sniffer/laptop because both the AM and the sniffer are only in rx mode.

There is also a possibility of packet loss in the intermediate network between an AP and the destination of the raw packet capture. The pcap packets are sent over UDP and could potentially be lost in the intermediate network.

If an AP is heavily loaded with traffic due to activity from or to an associated station, starting a raw packet capture may result in packets lost in either the raw packet capture or the station traffic or both because a CPU bottleneck could occur.

Version history
Revision #:
1 of 1
Last update:
‎07-06-2014 10:44 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: