Wireless Access

Reply
Highlighted
Occasional Contributor II

AP packet capture

I'm trying to run a packet capture on MD AOS 8.6.0.4, destination my PC.

I have used #ap packet-capture raw-start ip-addr 172.23.2.249 172.23.14.92 5555 0 radio 0, my PC has Wireshark 2.6.5 installed, I have configured Aruba_ERM for 5555 but still cannot see wlan traffic on Wireshark.

 

Anyone has an idea here ? thank you!


Accepted Solutions
Highlighted
MVP Expert

Re: AP packet capture

Not sure if that method will work in AOS8 but this one should definitely work

https://community.arubanetworks.com/t5/Controller-Based-WLANs/Aruba-AOS-Version-8-x-How-to-use-Packet-Capture-to-Collect/ta-p/549082



Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

View solution in original post

Highlighted

Re: AP packet capture

I did a session at ATM19 "AB250: Capturing the Data" which discusses the 4 different types of capturing on an Aruba controller. I couldn't find a link to it, but its you can, check it out. Anyway, when doing an AP Packet Capture (or PCAP from an IAP) there are a few key components of the capture. Let's take a look at the command that you used:

 

#ap packet-capture raw-start ip-addr 172.23.2.249 172.23.14.92 5555 0 radio 0

 

The first part is "ap packet-capture raw-start" which states that you want to capture from an AP and you want to capture all of the data (raw-start) that the radio of the AP hears or that the AP is transmitting.

 

The next piece is "ip-addr 172.23.2.249" which is specifying the AP that the capture is being performed from. This could have been "ap-name [name-of-the-ap]" or it could have been the MAC address of the AP. Whichever is easiest to identify the AP.

 

Then you specify "127.23.14.92 5555". The IP address is specifying the computer that you will be analyzing the capture from. This is the computer that will be running Wireshark, Omnipeek, or whatever analyzer you have running. When the AP sends the capture information to this computer, the AP needs to encapsulate the capture (package the capture data) in order for the analyzer to know that it is a capture and not a data frame. The 5555 tells the packet analyzer software that the capture data is encapsulated in UDP 5555 frames. So you will need to tell the analyzer software to look for UDP 5555 frames, grab the contents of these frames, and treat them as a packet stream. Wireshark typically uses UDP 5555, Omnipeek uses UDP 5000.

 

If you have CPsec enabled, CPsec tells the AP that its communications should be performed encrypted using IPsec. This is an issue when doing a packet capture, you need to tell the AP to continue to encrypt its communications with the controller, except for UDP 5555 (or 5000) frames that are being sent to the analyzer. You do this by using the following command prior to performing the capture, "ap packet-capture open-port 5555" and then when you are done, closing it up by using the command "ap packet-capture close-port 5555"

 

At this point the AP will send the capture data to the computer running the packet analyzer. However, when you sent the data, you told the AP to send it using a specific structure. Think of this as a database structure or field structure. Your command stated "5555 0". We already know that the 5555 is the UDP port, but the "0" is specifying the data structure. The capture format (what it is called) has 6 options.

0 = pcap

1 = peek (commonly used for Omnipeek)

2 = airmagnet

3 = pcap+radio header (commonly used for Wireshark) *** MY PREFERENCE ***

4 = ppi

5 = peek with 11n/11ac header

 

So you told the AP to send the packet encapsulated in a specific UDP frame, and in a specific structure. So you need to tell your analyzer software to both listen for the UDP frame and to look at the packet in a certain way.

 

BTW, the last fields in your command "radio 0" specifies the radio you are capturing from 0=5 GHz, and 1 = 2.4 GHz.

 

So in Wireshark you have two tasks. 1. Tell it what port to listen to, and 2. Tell it how to "decode" the data

 

*** QUICK PUBLIC SERVICE ANNOUNCEMENT ***

DO NOT download the Wireshark add-on from Aruba's support site unless you are running a version of Wireshark from about 10-15 years ago. This technology has been built into Wireshark for MANY years and the add-on is NO LONGER NEEDED!!!

 

Okay, now back to the process.

 

So the first step in WireShark is to specify the port to listen on. From the Preferences Menu, under Protocols look for "ARUBA_ERM" and set the value to 5555. This will tell WireShark to listen to this data stream.

 

Now you need to tell WireShark how to understand the data stream. From the Analyze menu, select "Decode As", and choose "Aruba ERM Type" and then in "Current field" select the capture format that you chose when sending the data to WireShark. Now WireShark knows what data to listen to, and how to interpret it. Then start the packet capture.

 

Forgive the plug, but if you go to www.westcott-consulting.com, I have some files that you can download from my ArubaOS 8 book. The last file is a summary of the 4 different ways of doing packet captures on an Aruba controller, the data that is captured, how it is sent to the analyzer, and how to analyzer at it.

 

I hope this helps,

 

 

David
Sr. Trainer and Author of "Understanding ArubaOS: Version 8.x" book

--Give Kudos if you found something helpful, important, or cool.
--Problem Solved? Click "Accepted Solution" in a post.

View solution in original post


All Replies
Highlighted
MVP Expert

Re: AP packet capture

Not sure if that method will work in AOS8 but this one should definitely work

https://community.arubanetworks.com/t5/Controller-Based-WLANs/Aruba-AOS-Version-8-x-How-to-use-Packet-Capture-to-Collect/ta-p/549082



Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

View solution in original post

Highlighted
Guru Elite

Re: AP packet capture

Highlighted

Re: AP packet capture

I did a session at ATM19 "AB250: Capturing the Data" which discusses the 4 different types of capturing on an Aruba controller. I couldn't find a link to it, but its you can, check it out. Anyway, when doing an AP Packet Capture (or PCAP from an IAP) there are a few key components of the capture. Let's take a look at the command that you used:

 

#ap packet-capture raw-start ip-addr 172.23.2.249 172.23.14.92 5555 0 radio 0

 

The first part is "ap packet-capture raw-start" which states that you want to capture from an AP and you want to capture all of the data (raw-start) that the radio of the AP hears or that the AP is transmitting.

 

The next piece is "ip-addr 172.23.2.249" which is specifying the AP that the capture is being performed from. This could have been "ap-name [name-of-the-ap]" or it could have been the MAC address of the AP. Whichever is easiest to identify the AP.

 

Then you specify "127.23.14.92 5555". The IP address is specifying the computer that you will be analyzing the capture from. This is the computer that will be running Wireshark, Omnipeek, or whatever analyzer you have running. When the AP sends the capture information to this computer, the AP needs to encapsulate the capture (package the capture data) in order for the analyzer to know that it is a capture and not a data frame. The 5555 tells the packet analyzer software that the capture data is encapsulated in UDP 5555 frames. So you will need to tell the analyzer software to look for UDP 5555 frames, grab the contents of these frames, and treat them as a packet stream. Wireshark typically uses UDP 5555, Omnipeek uses UDP 5000.

 

If you have CPsec enabled, CPsec tells the AP that its communications should be performed encrypted using IPsec. This is an issue when doing a packet capture, you need to tell the AP to continue to encrypt its communications with the controller, except for UDP 5555 (or 5000) frames that are being sent to the analyzer. You do this by using the following command prior to performing the capture, "ap packet-capture open-port 5555" and then when you are done, closing it up by using the command "ap packet-capture close-port 5555"

 

At this point the AP will send the capture data to the computer running the packet analyzer. However, when you sent the data, you told the AP to send it using a specific structure. Think of this as a database structure or field structure. Your command stated "5555 0". We already know that the 5555 is the UDP port, but the "0" is specifying the data structure. The capture format (what it is called) has 6 options.

0 = pcap

1 = peek (commonly used for Omnipeek)

2 = airmagnet

3 = pcap+radio header (commonly used for Wireshark) *** MY PREFERENCE ***

4 = ppi

5 = peek with 11n/11ac header

 

So you told the AP to send the packet encapsulated in a specific UDP frame, and in a specific structure. So you need to tell your analyzer software to both listen for the UDP frame and to look at the packet in a certain way.

 

BTW, the last fields in your command "radio 0" specifies the radio you are capturing from 0=5 GHz, and 1 = 2.4 GHz.

 

So in Wireshark you have two tasks. 1. Tell it what port to listen to, and 2. Tell it how to "decode" the data

 

*** QUICK PUBLIC SERVICE ANNOUNCEMENT ***

DO NOT download the Wireshark add-on from Aruba's support site unless you are running a version of Wireshark from about 10-15 years ago. This technology has been built into Wireshark for MANY years and the add-on is NO LONGER NEEDED!!!

 

Okay, now back to the process.

 

So the first step in WireShark is to specify the port to listen on. From the Preferences Menu, under Protocols look for "ARUBA_ERM" and set the value to 5555. This will tell WireShark to listen to this data stream.

 

Now you need to tell WireShark how to understand the data stream. From the Analyze menu, select "Decode As", and choose "Aruba ERM Type" and then in "Current field" select the capture format that you chose when sending the data to WireShark. Now WireShark knows what data to listen to, and how to interpret it. Then start the packet capture.

 

Forgive the plug, but if you go to www.westcott-consulting.com, I have some files that you can download from my ArubaOS 8 book. The last file is a summary of the 4 different ways of doing packet captures on an Aruba controller, the data that is captured, how it is sent to the analyzer, and how to analyzer at it.

 

I hope this helps,

 

 

David
Sr. Trainer and Author of "Understanding ArubaOS: Version 8.x" book

--Give Kudos if you found something helpful, important, or cool.
--Problem Solved? Click "Accepted Solution" in a post.

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: