bjulin,
Let's make sure you have all your ducks lined up. Here is what you will need:
- Wired Laptop with the latest Wireshark installed
- On access point configured as an Air Monitor
- Wired connectivity between the Air Monitor and the Wired Laptop.
Procedure:
First, make sure the version of wireshark has the Aruba ERM:
Edit> Wireshark Preferences => Protocols => Aruba ERM. Make sure the port is 5555.
Secondly, make sure the device you are capturing is an AM
Next, setup wireshark to do a packet capture on the wired interface of that laptop. in the filter box, just like you typed, type "aruba_erm" so that we only get Aruba packet capture traffic.
On the commandline of the controller, you will need (1) The ip address of the air monitor (2) the channel you want to capture on (3) the ip address of the wired laptop. To start a packet capture, first you need to tune the AM so that it is only capturing on the channel you want it to. Below I have the air monitor with the ip address of .116 tuned to channel 161 (more on how to capture 40mhz and 80 mhz channels later)
am scan 192.168.1.116 161
Next, I need to stream all of the traffic from that access point on that radio to the wired laptop. Below the AP-Name is the name of the Air monitor. The ip address (.72) is the ip address of my wired laptop. 5555 matches the ERM port I am using in wireshark. The number after Radio must be 0 if I am capturing 5ghz and 1 if I am capturing 2.4ghz:
ap packet-capture raw-start ap-name Office-135 192.168.1.72 5555 0 radio 0
This is what I see from wireshark on my mac:
If you want to capture a 40mhz channel you would do this:
am scan 192.168.1.116 36+
If you want to capture a 80mhz channel (802.11ac AP required), you would do this:
am scan 192.168.1.116 36E
I hope this helps.