Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Packet capture seems to capture only selected packets

This thread has been viewed 14 times

  • 1.  Packet capture seems to capture only selected packets

    Posted Mar 20, 2015 02:54 PM

    I setup a packet capture, headed to my desktop running wireshark. A wireless client is running an automated test against an access point. It first pings a server, then downloads a file via HTTP. In my packet capture, I see the client associate to the network, get a DHCP lease, and ping the server. All as expected. But when the HTTP transfer starts, I only see a stream of TCP ACK's from the client back to the server. I don't see any data packets. Wireshark reports them as "TCP ACKed unseen segment", which makes sense.

     

    I'm suspecting it's an issue with packets larger than a certain size. Suspecting it was an issue with jumbo frames, I configured a port mirror on the AP's switch (with MTU = 9216), grabbed the UDP/5555 traffic there, and loaded it into wireshark. Same problem. So I don't think

     

    Are there known issues with large frames in a packet capture?

     

    Thanks!

     

    Norman



  • 2.  RE: Packet capture seems to capture only selected packets

    EMPLOYEE
    Posted Mar 20, 2015 08:31 PM

    Norman,

     

    If you could let us know what the exact commands that you used to start the pcap (show audit-trail), that will give us a place to start.

     



  • 3.  RE: Packet capture seems to capture only selected packets

    Posted Mar 20, 2015 09:14 PM

    Here's what I see...

     

    ap packet-capture raw-start ip-addr 10.100.136.83 10.10.0.100 5555 0 radio 1

    ap packet-capture open-port 5555

     

    Thanks!

     

    Norman



  • 4.  RE: Packet capture seems to capture only selected packets

    EMPLOYEE
    Posted Mar 20, 2015 09:23 PM

    Norman,

     

    Is that SSID using encryption?  Does the client roam away from that access point possibly?  If it is using encryption, you are only going to get encrypted packets.  If the client roams away, the AP is only going to be able to send packets that it can "see".  If the client is on another AP that is on a different channel, it will not see those packets.

     

    You might want to try the method here:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/We-can-take-wireless-packet-captures-of-specific-wireless-client/ta-p/185102 and here:  http://community.arubanetworks.com/t5/Community-Matters-Blog/ArubaOS-6-3-New-Packet-Capture-Functionality-in-ArubaOS-6-3/ba-p/113967



  • 5.  RE: Packet capture seems to capture only selected packets

    EMPLOYEE
    Posted Mar 20, 2015 08:31 PM

    Norman,

     

    If you could let us know what the exact commands that you used to start the pcap (show audit-trail), that will give us a place to start.

     



  • 6.  RE: Packet capture seems to capture only selected packets

    EMPLOYEE
    Posted Mar 20, 2015 08:31 PM

    Norman,

     

    If you could let us know what the exact commands that you used to start the pcap (show audit-trail), that will give us a place to start.