Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Packet Capture - Seeing L2 Traffic Only

This thread has been viewed 1 times

  • 1.  Packet Capture - Seeing L2 Traffic Only

    Posted Sep 26, 2012 03:03 PM

    Am I only supposed to see L2 traffic when performing a client packet capture?  I need to capture all communication from a wireless client.



  • 2.  RE: Packet Capture - Seeing L2 Traffic Only

    EMPLOYEE
    Posted Sep 26, 2012 04:53 PM

    How are you doing the packet capture?

     

     



  • 3.  RE: Packet Capture - Seeing L2 Traffic Only

    Posted Sep 26, 2012 09:14 PM
    I'm using the controller GUI. Selecting a client then doing a raw packet capture to my computer with Wireshark running. I have the latest version of Wireshark with the Aruba display filter set.


  • 4.  RE: Packet Capture - Seeing L2 Traffic Only

    EMPLOYEE
    Posted Sep 26, 2012 09:35 PM
    Correct. That is the layer 2 traffic as if you were standing next to the ap. If you are using encryption, you will see encrypted traffic.


  • 5.  RE: Packet Capture - Seeing L2 Traffic Only

    Posted Sep 26, 2012 10:27 PM

    I'm not sure I see the point in this feature if the traffic is encrypted.  I need to be able to view the unecrypted traffic to/from a wireless client.  Do I have any other options for capturing the clients wireless traffic?  I'm trying to avoid installing Wireshark on the clients PC.



  • 6.  RE: Packet Capture - Seeing L2 Traffic Only
    Best Answer

    EMPLOYEE
    Posted Sep 27, 2012 12:08 AM

    A client has to connect layer2 before it even gets an ip address and the exchanges that occur at that level are very important to the troubleshooting process.  This is frequently the method used to diagnose clients that cannot connect or have problems staying connected.

     

    To see what other methods are available for packet capture, please see the document here:  http://community.arubanetworks.com/aruba/attachments/aruba/115/160/1/Packet+Capturing+Options+with+Aruba+Wireless+Networks.pdf



  • 7.  RE: Packet Capture - Seeing L2 Traffic Only

    Posted Sep 27, 2012 10:36 AM

    Thanks for reply.  That makes sense.

     

    As a sidenote,I was troubleshooting something with Wireshark on my computer this morning and noticed an unusual amount of traffic being displayed.  It's all "Aruba encapsulated remote mirroring" packets and believe this is from the client that I ran a packet capture on yesterday.  I must have forgot to stop the packet capture.  From the controller GUI, I went to the client page, selected the user, and clicked packet capture to see if I could stop the capture but nothing happens when I clicked the button.  If I CLI into the controller and run "show packet-capture", all packet filtering is disabled.  How can I stop this packet capture???



  • 8.  RE: Packet Capture - Seeing L2 Traffic Only

    EMPLOYEE
    Posted Sep 27, 2012 12:07 PM

    You cannot see if user packet captures are active globally.   When you start a packet capture this way, the controller sends a message to the AP to stream pcap traffic directly from the AP to the management station, without controller intervention.  The controller does not keep track of what streams were initiated or are in progress, at length.  You would reboot the access point to stop this, or if you know what ap, you would use the commandline "pcap stop" command.

     



  • 9.  RE: Packet Capture - Seeing L2 Traffic Only

    Posted Sep 27, 2012 01:08 PM

    I logged back into the controller and was able to see the packet capture still running and stop it.  Not sure why it wouldn't let me get that far last time.   Good to know I can log into the AP next time to stop it in case I have this problem again.

     

    Thanks!