Packet Capture
The wireless packet capture feature enables capturing and storing the packets received and transmitted by the WAP device. The captured packets can then be analyzed by a network protocol analyzer for troubleshooting or performance optimization.
There are two methods of packet capture:
-
Local Capture Method — Captured packets are stored in a file on the WAP device. The WAP device can transfer the file to a TFTP server. The file is formatted in pcap format and can be examined using Wireshark. You can choose Save File on this Device to select the local capture method.
-
Remote Capture Method — Captured packets are redirected in real time to an external computer running Wireshark. You can choose Stream to a Remote Host to select the remote capture method.
Captured packets could be redirected in real time to CloudShark, a web-based packet decoder and analyzer site. It is similar to Wireshark UI for packet analysis. You can choose Stream to CloudShark to select the remote capture method.
The WAP device can capture these types of packets:
-
802.11 packets received and transmitted on the radio interfaces. Packets captured on the radio interfaces include the 802.11 header.
-
802.3 packets received and transmitted on the Ethernet interface.
-
802.3 packets received and transmitted on the internal logical interfaces, such as VAPs and WDS interfaces.
Use the Packet Capture page to configure the parameters of the packet capture, start a local or remote packet capture, view the current packet capture status, and download a packet capture file.
Local Packet Capture
To initiate a local packet capture:
Procedure
Step 1 |
Select Troubleshoot > Packet Capture. |
Step 2 |
Ensure that Save File on this Device is selected for the Packet Capture Method. |
Step 3 |
Configure these parameters:
|
Step 4 |
There are two modes for packet capture.
|
Step 5 |
Click Enable Filters. There are three checkboxes available (Ignore Beacons, Filter on Client, Filter on SSID).
|
Step 6 |
Click Apply. The changes are saved to the Startup Configuration. |
Step 7 |
Click Start Capture and then click Refresh to obtain the Packet Capture Status which contains of the following data:
In Packet File Capture mode, the WAP device stores the captured packets in the RAM file system. Upon activation, the packet capture proceeds until one of these events occurs:
|
Remote Packet Capture
The Remote Packet Capture feature enables you to specify a remote port as the destination port for packet captures. This feature works in conjunction with the Wireshark network analyzer tool for Windows. A packet capture server runs on the WAP device and sends the captured packets through a TCP connection to the Wireshark tool. Wireshark is an open source tool and is available for free; it can be downloaded from https://www.wireshark.org/.
A Microsoft Windows computer running the Wireshark tool allows you to display, log, and analyze the captured traffic. The remote packet capture facility is a standard feature of the Wireshark tool for Windows.
Note |
While the remote packet capture is not supported by the Linux, the Wireshark tool works under Linux and already created capture files can be viewed. |
When the remote capture mode is in use, the WAP device does not store any captured data locally in its file system.
If a firewall is installed between the Wireshark computer and the WAP device, the Wireshark must be allowed to pass through the firewall policy of the computer. The firewall must also be configured to allow the Wireshark computer to initiate a TCP connection to the WAP device.
Stream to a Remote Host
To initiate a remote capture on a WAP device using Stream to a Remote Host option:
Procedure
Step 1 |
Select . |
Step 2 |
For the Packet Capture Method, click Stream to a Remote Host radio button. |
Step 3 |
In the Remote Capture Port field, use the default port (2002), or if you are using a port other than the default, enter the desired port number used to connect Wireshark to the WAP device. The port range is from 1025 to 65530. |
Step 4 |
There are two modes for packet capture.
|
Step 5 |
Next, check Enable Filters. Then choose from the following options:
|
Step 6 |
If you want to save the settings for use at another time, click Apply. However, the selection of Remote as the Packet Capture Method is not saved. |
Step 7 |
Click Start Capture to start the capture. To stop the capture, click Stop Capture. |
Stream to CloudShark
To initiate a remote capture on a WAP device using Stream to CloudShark option, do the following:
Procedure
Step 1 |
Select Troubleshoot > Packet Capture. |
Step 2 |
For the Packet Capture Method, click Stream to CloudShark radio button. |
Step 3 |
Configure the following parameters:
|
Step 4 |
The communication with CloudShark is by HTTPS. If you want to use self-signed SSL certificate, select Yes option and click Upload a certificate to upload the certificate you signed. |
Step 5 |
Enter the protocols you want to capture in Filter expression field. Only those packets after being filtered will be transferred to CloudShark |
Step 6 |
There are two modes for packet capture:
|
Step 7 |
Click Enable Filters. The following three options are available: |
Step 8 |
Click Apply. The changes are saved to the Startup Configuration. |
Step 9 |
Click Start Capture. In the Packet Capture mode, the packets captured are transmitted to CloudShark site in real time. Upon activation, the packet capture proceeds until one of the following events occur:
|
Wireshark
First, download Wireshark and install it on your computer. You can download Wireshark from https://www.wireshark.org/.
To initiate the Wireshark network analyzer tool for Microsoft Windows, follow these steps:
Procedure
Step 1 |
On your computer, initiate the Wireshark tool. |
||
Step 2 |
In the menu, click Capture > Options. A popup window appears. |
||
Step 3 |
In the Interface field, select Remote. A popup window appears. |
||
Step 4 |
In the Host field, enter the IP address of the WAP device. |
||
Step 5 |
In the Port field, enter the port number of the WAP device. For example, enter 2002 if you used the default, or enter the port number if you used a port other than the default. |
||
Step 6 |
Click OK. |
||
Step 7 |
Select the interface from which you need to capture the packets. At the Wireshark popup window, next to the IP address, there is a drop-down menu to select the interfaces. The interface can be one of the following: --rpcap://[192.168.1.220]:2002/brtrunk -- rpcap://[192.168.1.220]:2002/eth0 -- rpcap://[192.168.1.220]:2002/wlan0 -- rpcap://[192.168.1.220]:2002/radio1 -- rpcap://[192.168.1.220]:2002/wlan0vap1 ~ wlan0vap7 -- rpcap://[192.168.1.220]:2002/wlan0vap1 ~ wlan0vap3 You can trace up to four interfaces on the WAP device simultaneously. However, you must start a separate Wireshark session for each interface. To initiate additional remote capture sessions, repeat the Wireshark configuration steps. No configuration required on the WAP device.
Some examples of useful display filters are:
In remote capture mode, traffic is sent to the computer running Wireshark through one of the network interfaces. Depending on the location of the Wireshark tool, the traffic can be sent on an Ethernet interface or one of the radios. To avoid a traffic flood caused by tracing the packets, the WAP device automatically installs a capture filter to filter out all packets destined to the Wireshark application. For example, if the Wireshark IP port is configured to be 58000, then this capture filter is automatically installed on the WAP device: not port range 58000-58004Due to performance and security issues, the packet capture mode is not saved in NVRAM on the WAP device. If the WAP device resets, the capture mode is disabled and then you must enable it again to resume capturing traffic. Packet capture parameters (other than the mode) are saved in NVRAM. Enabling the packet capture feature can create a security issue: Unauthorized clients may be able to connect to the WAP device and trace user data. The performance of the WAP device also is negatively impacted during packet capture, and this impact continues to a lesser extent even when there is no active Wireshark session. To minimize the performance impact on the WAP device during traffic capture, install capture filters to limit which traffic is sent to the Wireshark tool. When capturing 802.11 traffic, a large portion of the captured frames tend to be beacons (typically sent every 100 ms by all access points). Although Wireshark supports a display filter for beacon frames, it does not support a capture filter to prevent the WAP device from forwarding the captured beacon packets to the Wireshark tool. To reduce the performance impact of capturing the 802.11 beacons, disable the capture beacons mode. |
Packet Capture File Download
You can download a capture file by TFTP to a configured TFTP server, or by HTTP/HTTPS to a computer. A capture is automatically stopped when the capture file download command is triggered.
Because the capture file is located in the RAM file system, it disappears if the WAP device is reset.
To download a packet capture file using TFTP:
Procedure
Step 1 |
Click Download to TFTP Server. |
Step 2 |
Specify a Server IPv4 Address in the field provided. |
Step 3 |
Enter the Destination File Name to download if different from the default. By default, the captured packets are stored in the folder file /tmp/apcapture.pcap on the WAP device. |
Step 4 |
Click Download. |
Using HTTP
To download a packet capture file using HTTP:
Procedure
Step 1 |
Click Download to this Device. A confirmation pop-up message will appear. |
Step 2 |
Click Yes. A pop-up enables you to select a network location to save the file. |