We are very familiar with performing 802.11 packet capture using USB wireless dongles as capture adapters. The problem with USB adapters is that they can only support up to two spatial streams due to limitations of the USB bus. With theadvent of three or more spatial stream access points (APs), these USB dongles are no longer adequate capture adapter s. At a recent Wireless LAN Professionals Summit, Jay Botelho, Director of Product Management, Savvius, said that capturing from APs will be the future of 802.11 packet analysis. Capturing packets from an installed AP can provide an excellent approach for remote troubleshooting, but how about using an AP as a capture adapter connected directly to your laptop? Below we show a procedure for capturing packets directly from an Aruba IAP-225 into Savvius Omnipeek.
In the following example, we have an Aruba IAP-225 running 126.96.36.199-188.8.131.52 connected directly to a laptop via an Ethernet cable. Omnipeek version 7.9.1 is running on the laptop.
For a successful capture, it is important to have configured an IP address on both the IAP-225 and your laptop. A simple test for basic IP connectivity can be achieved by pinging the AP from the laptop.
Currently, packet capture on Aruba Instant APs can only be configured from the CLI, so it is necessary to SSH or Console to the AP.
1) Firstly, determine the BSSID of the radio to capture on. To do this, type the command: show ap monitor status. This command will display a whole wealth of information on the AP, but for this task we are only interested in the BSSID information shown in the figure below which includes both the 2.4GHz and 5 GHz radio BSSIDs. Copy the BSSID for the radio to be captured from. For this example, we are going to use the 2.4GHz radio 18:64:72:d3:d7:a0.
2) To start a packet capture on an Aruba IAP, use the following command:
pcap start <BSSID> <IP of capture tool> <port> <format> <max packet size>
In this example, we will capture from the 2.4GHz radio 18:64:72:d3:d7:a0. The IP address of the laptop running Omnipeek is 192.168.0.10. We will use port 5000, but any port can be used.
The format parameter is a number indicating the packet format. This allows you to send the packets in the correct format for your analyser of choice. In this example, it is Savvius Omnipeek but other options are available, such as Wireshark and AirMagnet. The choice of options for this parameter are shown below:
0 pcap, 1 peek, 2 airmagnet, 3 pcap radio, 4 ppi
Because we are using Omnipeek, we will choose 1 in order to select peek format.
The last parameter is the maximum packet size. For this example, we use a value of 2346 and we type:
pcap start 18:64:72:d3:d7:a0 192.168.0.10 5000 1 2346
Notice the pcap-id is shown in the resulting message (see above). This id will be used when we issue the command to stop the capture. If you want the AP to capture both 2.4GHz and 5GHz traffic simultaneously then issue the pcap start command again but this time use the 5GHz radio BSSID.
3) Next, we need to start an Aruba Remote Adapter capture in Omnipeek and then select the ‘New Capture’ option from the Start Page. The Capture Options dialog will appear. On the Adapter tab choose ‘Aruba Remote Adapter’ and double click ‘New Adapter’
Enter a name and the port number. In this example, we’re using port 5000. Click ok.
Make sure your newly created Aruba adapter is selected and click ok
When the capture window opens, click ‘Start Aruba Capture’
Your packets should now start to appear. Happy Analysis!
4) When you have finished capturing, remember to stop the capture on the AP.
pcap stop 18:64:72:d3:d7:a0 1
In this command, the final digit 1 is the pcap id displayed which you may recall when we started the capture. If you can’t remember the pcap id, then use the command show pcap to see your current captures.
If you started a capture from the 5 GHz radio, then you will need to stop this one too.