Wireless Access

Reply
Highlighted
Contributor II

Client packet capture on AOS8

In my MM gui, I can see next to an AP the icon to start a packet capture from the AP. This grabs ALL traffic from that AP, and is limiting in the fact that you can only narrow it down to a band to capture.


Is there not a similar function in the gui to capture only a specific client? I can't seem to find anything.

 

And if no gui option is available, is it stil available through CLI? If so, does it all have to be done via the MM or the MD? I cant find much supporting documention on how to do this step-by-step in a dual MM + dual MD cluster setup.


Accepted Solutions
Highlighted

Re: Client packet capture on AOS8

In addition to the other link that you were pointed to, I am going to add some more about the topic.

 

First, there are 4 ways of doing packet capturing with an Aruba Controller environment (ArubaOS 6 or 8).

- Port Monitoring

- Packet-Capture command

- Firewall Mirroring

- AP Packet-Capture

 

I am not going to go into deep depths on these, since I could write 20-30 pages on the topic.

 

First off, if you are using a cluster environment, you may need to identify the AP anchor controller (AAC) or user anchor controller (UAC) to identify which MC you will need to run some of these commands on.

 

From the MM, "show ap database" will show you the switch IP which is the AAC, and "show global-user-table list" will display the current switch for a user which is the UAC. There are also other ways of geting this information.

 

1st capture method - Port monitoring - This is a traditional port monitor. In an MM environment do this at the device node.

 

(MM1) [00:0b:86:be:7a:40] (config) #interface gigabitethernet 0/0/4

(MM1) [00:0b:86:be:7a:40] (config-submode) #port monitor gigabitethernet 0/0/6

(MM1) ^[00:0b:86:be:7a:40](config-submode) #write mem

 

At that point, connect to port 0/0/4 on the MC and capture

 

2nd capture method - Packet-capture command

This can capture datapath client or IPsec data, or controlpath traffic. The commands are as follows and are executed on the MC.

 

"show packet-capture" shows the current settings.

"packet-capture controlpath tcp all" and "packet-capture controlpath udp 1812,1645" are examples of enabling capture of control path traffic.

"packet-capture datapath mac xx:xx:xx:xx:xx:xx decrypted" is an example of enabling capturing of client traffic. Instead of decrypted, you could also do encrypted or all.

"packet-capture datapath ipsec x.x.x.x" will capture IPsec traffic.

 

The packet-capture data needs to be sent somewhere, either to a port, an IP address which is running a packet analyzer (the traffic is sent via GRE frames), or to the local filesystem on the controller (some captures are limited to where they can be sent). The following sets the destination.

"packet-capture destination " followed by "interface 0/0/3", "ip-address x.x.x.x", or " local-filesystem" as examples.

 

If the output is going to the local filesystem, you can look at it on the MC from the CLI using "show packet-capture controlpath-pcap" or "show packet-capture datapath-pcap"

 

Don't forget to undo any of the commands so that it is not continuously capturing.

 

3rd capture method - Firewall mirror

Create a firewall rule with an extended action of mirror, such as "user any svc-ssh deny mirror". Anything that matches that rule, a copy will be GRE'd to the IP address that you have set previously in the "packet-capture destination" command.

 

4th capture method - AP/AM capture - Do this from the CLI, don't do it from the WebUI. CLI has many more features.

 

Capture will be sent from the AP to an IP address encapsulated in a UDP frame (typically UDP 5000 or 5555). This command is also executed on the MC. If CPsec is enabled, you need to open the port of the AP, for example "ap apcket-capture open-port 5000" and then later close it "ap packet-capture close-port 5000"

 

It's better to capture from an Air Monitor, as you can set channel and channel-width. If you do it from an AP, do not change these. To set channel and width "am scan ip-addr x.x.x.x 36" for example. IP address is the PC with the analyzer and 36 is 20 MHz wide channel. 36+ is 40 MHz wide, 36E is 80 MHz wide, 0 is scan all channels.

 

The following is the capture command "ap packet-capture raw-start ap-name AP1 x.x.x.x 5000 1 radio 0"

 

raw-start sends everything (do this)

ap-name AP1 is name of AP doing capture

x.x.x.x is IP of capture PC

5000 is UDP port (typically 5000 for Omnipeek, 5555 for Wireshark)

1 is capture format (typically 1 for Omnipeek, 3 for Wireshare)

0 is radio (0=5 GHz, 1=2.4 GHz)

There is a channel option too, don't use it. Set channel through the "am scan" command

 

Jot down the AP name, IP address, pcap-id, and radio #. When you are done, you will need to turn the capture off "ap packet-capture stop ip-addr x.x.x.x 13 radio 0", in this example the pcap-id was 13

 

On your analyzer machine you will need to use encapsulated remote mirror (ERM) mode and set the decode filter based on the capture format you chose.

 

If you go to my website (www.westcott-consulting.com) and download the ArubaOS 8 files, there is a capture summary chart that I give away that summarizes the capture methods, what is captured, source, target, encapsulation method, and how to view the data.

 

I did an Atmosphere presentation in 2019 in Vegas about this and hope to do it again in 2020.

 

I hope this helps,

 

 

 

David
Sr. Trainer and Author of "Understanding ArubaOS: Version 8.x" book

--Give Kudos if you found something helpful, important, or cool.
--Problem Solved? Click "Accepted Solution" in a post.

View solution in original post


All Replies
Highlighted
Frequent Contributor I

Re: Client packet capture on AOS8

Hi,

 

Please refer to the following link and check if those are helpfull to fulfill your requirements;

 

https://community.arubanetworks.com/t5/Controller-Based-WLANs/Aruba-AOS-Version-8-x-How-to-use-Packet-Capture-to-Collect/ta-p/549082

 

 

Highlighted
Contributor II

Re: Client packet capture on AOS8

The link you provided goes over how to do client capture via command line. It doesnt mention a way to do it via the GUI. So I assume doing it through the GUI can't be done (for client specific capture).

 

 

For AP capture in via the GUI, you have different formats to choose from: pcap, peek, airmagnet, pcap+radio, ppi, peek with headers. Is there any documnention describing the differences between these?

 

Highlighted

Re: Client packet capture on AOS8

In addition to the other link that you were pointed to, I am going to add some more about the topic.

 

First, there are 4 ways of doing packet capturing with an Aruba Controller environment (ArubaOS 6 or 8).

- Port Monitoring

- Packet-Capture command

- Firewall Mirroring

- AP Packet-Capture

 

I am not going to go into deep depths on these, since I could write 20-30 pages on the topic.

 

First off, if you are using a cluster environment, you may need to identify the AP anchor controller (AAC) or user anchor controller (UAC) to identify which MC you will need to run some of these commands on.

 

From the MM, "show ap database" will show you the switch IP which is the AAC, and "show global-user-table list" will display the current switch for a user which is the UAC. There are also other ways of geting this information.

 

1st capture method - Port monitoring - This is a traditional port monitor. In an MM environment do this at the device node.

 

(MM1) [00:0b:86:be:7a:40] (config) #interface gigabitethernet 0/0/4

(MM1) [00:0b:86:be:7a:40] (config-submode) #port monitor gigabitethernet 0/0/6

(MM1) ^[00:0b:86:be:7a:40](config-submode) #write mem

 

At that point, connect to port 0/0/4 on the MC and capture

 

2nd capture method - Packet-capture command

This can capture datapath client or IPsec data, or controlpath traffic. The commands are as follows and are executed on the MC.

 

"show packet-capture" shows the current settings.

"packet-capture controlpath tcp all" and "packet-capture controlpath udp 1812,1645" are examples of enabling capture of control path traffic.

"packet-capture datapath mac xx:xx:xx:xx:xx:xx decrypted" is an example of enabling capturing of client traffic. Instead of decrypted, you could also do encrypted or all.

"packet-capture datapath ipsec x.x.x.x" will capture IPsec traffic.

 

The packet-capture data needs to be sent somewhere, either to a port, an IP address which is running a packet analyzer (the traffic is sent via GRE frames), or to the local filesystem on the controller (some captures are limited to where they can be sent). The following sets the destination.

"packet-capture destination " followed by "interface 0/0/3", "ip-address x.x.x.x", or " local-filesystem" as examples.

 

If the output is going to the local filesystem, you can look at it on the MC from the CLI using "show packet-capture controlpath-pcap" or "show packet-capture datapath-pcap"

 

Don't forget to undo any of the commands so that it is not continuously capturing.

 

3rd capture method - Firewall mirror

Create a firewall rule with an extended action of mirror, such as "user any svc-ssh deny mirror". Anything that matches that rule, a copy will be GRE'd to the IP address that you have set previously in the "packet-capture destination" command.

 

4th capture method - AP/AM capture - Do this from the CLI, don't do it from the WebUI. CLI has many more features.

 

Capture will be sent from the AP to an IP address encapsulated in a UDP frame (typically UDP 5000 or 5555). This command is also executed on the MC. If CPsec is enabled, you need to open the port of the AP, for example "ap apcket-capture open-port 5000" and then later close it "ap packet-capture close-port 5000"

 

It's better to capture from an Air Monitor, as you can set channel and channel-width. If you do it from an AP, do not change these. To set channel and width "am scan ip-addr x.x.x.x 36" for example. IP address is the PC with the analyzer and 36 is 20 MHz wide channel. 36+ is 40 MHz wide, 36E is 80 MHz wide, 0 is scan all channels.

 

The following is the capture command "ap packet-capture raw-start ap-name AP1 x.x.x.x 5000 1 radio 0"

 

raw-start sends everything (do this)

ap-name AP1 is name of AP doing capture

x.x.x.x is IP of capture PC

5000 is UDP port (typically 5000 for Omnipeek, 5555 for Wireshark)

1 is capture format (typically 1 for Omnipeek, 3 for Wireshare)

0 is radio (0=5 GHz, 1=2.4 GHz)

There is a channel option too, don't use it. Set channel through the "am scan" command

 

Jot down the AP name, IP address, pcap-id, and radio #. When you are done, you will need to turn the capture off "ap packet-capture stop ip-addr x.x.x.x 13 radio 0", in this example the pcap-id was 13

 

On your analyzer machine you will need to use encapsulated remote mirror (ERM) mode and set the decode filter based on the capture format you chose.

 

If you go to my website (www.westcott-consulting.com) and download the ArubaOS 8 files, there is a capture summary chart that I give away that summarizes the capture methods, what is captured, source, target, encapsulation method, and how to view the data.

 

I did an Atmosphere presentation in 2019 in Vegas about this and hope to do it again in 2020.

 

I hope this helps,

 

 

 

David
Sr. Trainer and Author of "Understanding ArubaOS: Version 8.x" book

--Give Kudos if you found something helpful, important, or cool.
--Problem Solved? Click "Accepted Solution" in a post.

View solution in original post

Highlighted
Contributor II

Re: Client packet capture on AOS8

Thank you for the detailed response! Best collection of packet capture info and detail (especially relating to AOS8) I have seen.

 

Missed your presentation at last years ATM, but will be sure to catch you this year.

 

THANK YOU!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: