To capture to another network client:
packet-capture destination ip-address <capture-client-IP>
packet-capture datapath wifi-client <client-mac-address> decrypted
In Wireshark, go to Preferences > Protocols > Aruba_ERM and set the port to 5555
Filter the packets with:
ip.src== <controller-ip> && dns
To capture to flash memory on controller:
packet-capture destination local-filesystem
packet-capture datapath wifi-client <client-mac-address> decrypted
To stop packet capture and tar pcap file:
no packet-capture datapath wifi-client <client-mac-address> decrypted
packet-capture copy-to-flash datapath-pcap
You can then copy the tarball off of the controller via SCP or TFTP and take a look at the capture