The wireless packet capture feature enables capturing and storing packets received and transmitted by the WAP device. The captured packets can then be analyzed by a network protocol analyzer, for troubleshooting or performance optimization. There are two methods of packet capture:
• Local capture method— Captured packets are stored in a file on the WAP device. The WAP device can transfer the file to a TFTP server or download by HTTP(S) to a computer. The file is formatted in pcap format and can be examined using tools such as Wireshark and OmniPeek.
• Remote capture method—Captured packets are redirected in real time to an external computer running the Wireshark tool.
The WAP device can capture these types of packets:
• 802.11 packets received and transmitted on radio interfaces. Packets captured on radio interfaces include the 802.11 header.
• 802.3 packets received and transmitted on the Ethernet interface.
• 802.3 packets received and transmitted on the internal logical interfaces such as VAPs and WDS interfaces.
Select Administration > Packet Capture to display the Packet Capture page. From the Packet Capture page you can:
• Configure packet capture parameters.
• Start a local or remote packet capture.
• View the current packet capture status.
• Download a packet capture file.
The Packet Capture Configuration area enables you to configure parameters and initiate a packet capture.
Configuring the Packet Capture
To configure packet capture settings:
1. Configure these parameters:
• Capture Beacons—Enables or disables the capturing of 802.11 beacons detected or transmitted by the radio.
• Promiscuous Capture—Enables or disables promiscuous mode when the capture is active.
In promiscuous mode, the radio receives all traffic on the channel, including traffic that is not destined to this WAP device. While the radio is operating in promiscuous mode, it continues serving associated clients. Packets not destined to the WAP device are not forwarded.
As soon as the capture is completed, the radio reverts to nonpromiscuous mode operation.
• Radio Client Filter—Enables or disables the WLAN client filter to capture only frames that are transmitted to, or received from, a WLAN client with a specified MAC address.
• Client Filter MAC Address—Specifies the MAC address for WLAN client filtering.
Note The MAC filter is active only when a capture is performed on an 802.11 interface.
• Packet Capture Method—Select one of these options:
– Local File—Captured packets are stored in a file on the WAP device.
– Remote—Captured packets are redirected in real time to an external computer running the Wireshark tool.
2. Depending on the selected method, refer to the steps in the Local Packet Capture or Remote Packet Capture section to continue.
Note Changes to packet capture configuration parameters take affect after packet capture is restarted. Modifying the parameters while the packet capture is running does not affect the current packet capture session. To begin using new parameter values, an existing packet capture session must be stopped and restarted.
To initiate a local packet capture:
1. Ensure that Local File is selected for the Packet Capture Method.
2. Configure these parameters:
• Capture Interface—Enter a capture interface type for packet capture:
– radio1—802.11 traffic on the radio interface Radio 1.
– radio2—802.11 traffic on Radio 2.
– eth0—802.3 traffic on the Ethernet port.
– wlan0—VAP0 traffic on Radio 1.
– wlan1—VAP0 traffic on Radio 2
– wlan0vap1 to wlan0vap7—Traffic on the specified VAP on Radio 1.
– wlan1vap1 to wlan1vap 7—Traffic on the specified VAP on Radio 2.
– wlan0wds0 to wlan0wds3—Traffic on the specified WDS interface.
– brtrunk—Linux bridge interface in the WAP device.
• Capture Duration—Enter the time duration in seconds for the capture. The range is from 10 to 3600. The default is 60.
• Max Capture File Size—Enter the maximum allowed size for the capture file in KB. The range is from 64 to 4096. The default is 1024.
3. Click Save. The changes are saved to the Startup Configuration.
In Packet File Capture mode, the WAP device stores captured packets in the RAM file system. Upon activation, the packet capture proceeds until one of these events occurs:
• The capture time reaches the configured duration.
• The capture file reaches its maximum size.
• The administrator stops the capture.
The Packet Capture Status area of the page shows the status of a packet capture, if one is active on the WAP device.
• Current Capture Status—Whether packet capture is running or stopped.
• Packet Capture Time—Elapsed capture time.
• Packet Capture File Size—The current capture file size.
Click Refresh to show the latest data from the WAP device.
Note To stop a packet file capture, click Stop Capture.
The Remote Packet Capture feature enables you to specify a remote port as the destination for packet captures. This feature works in conjunction with the Wireshark network analyzer tool for Windows. A packet capture server runs on the WAP device and sends the captured packets through a TCP connection to the Wireshark tool. Wireshark is an open source tool and is available for free; it can be downloaded from http://www.wireshark.org.
A Microsoft Windows computer running the Wireshark tool allows you to display, log, and analyze captured traffic. The remote packet capture facility is a standard feature of the Wireshark tool for Windows. Linux version does not work with the WAP device.
When remote capture mode is in use, the WAP device does not store any captured data locally in its file system.
If a firewall is installed between the Wireshark computer and the WAP device, the traffic for these ports must be allowed to pass through the firewall. The firewall must also be configured to allow the Wireshark computer to initiate a TCP connection to the WAP device.
Initiating a Remote Capture on a WAP Device
To initiate a remote capture on a WAP device:
1. Select Administration > Packet Capture.
2. Enable Promiscuous Capture.
3. For the Packet Capture Method, select Remote.
4. For the Remote Capture Port, use the default port (2002), or if you are using a port other than the default, enter the desired port number used for connecting Wireshark to the WAP device. The port range is from 1025 to 65530.
5. If you want to save the settings for use at another time, click Save.
Initiating the Network Analyzer Tool
To initiate the Wireshark network analyzer tool for Microsoft Windows:
1. On the same computer, initiate the Wireshark tool.
2. In the menu, select Capture > Options. A popup window appears.
3. At Interface, select Remote. A popup window appears.
4. At Host, enter the IP address of the WAP device.
5. At Port, enter the port number of the WAP. For example, enter 2002 if you used the default, or enter the port number if you used a port other than the default.
7. Select the interface from which you need to capture packets. At the Wireshark popup window, next to the IP address, there is a pull-down list for you to select the interfaces. The interface can be one of the following:
Linux bridge interface in the wap device
--rpcap://[192.168.1.220]:2002/brtrunk
Wired LAN interface
-- rpcap://[192.168.1.220]:2002/eth0
VAP0 traffic on radio 1
-- rpcap://[192.168.1.220]:2002/wlan0
802.11 traffic
-- rpcap://[192.168.1.220]:2002/radio1
At WAP571/E, VAP1 ~ VAP7 traffic for radio 1
-- rpcap://[192.168.1.220]:2002/wlan0vap1 ~ wlan0vap7
At WAP571/E, VAP1 ~ VAP7 traffic for radio 2
-- rpcap://[192.168.1.220]:2002/wlan1vap1 ~ wlan1vap7
You can trace up to four interfaces on the WAP device at the same time. However, you must start a separate Wireshark session for each interface. To initiate additional remote capture sessions, repeat the Wireshark configuration steps; no configuration needs to be done on the WAP device.
Note The system uses four consecutive port numbers, starting with the configured port for the remote packet capture sessions. Verify that you have four consecutive port numbers available. We recommend that if you do not use the default port, use a port number greater than 1024.
When you are capturing traffic on the radio interface, you can disable beacon capture, but other 802.11 control frames are still sent to Wireshark. You can set up a display filter to show only:
• Traffic on specific Basic Service Set IDs (BSSIDs)
Some examples of useful display filters are:
• Exclude beacons and ACK/RTS/CTS frames:
!(wlan.fc.type_subtype == 8 | | wlan.fc.type == 1)
• Traffic on a specific BSSID:
wlan.bssid == 00:02:bc:00:17:d0
• All traffic to and from a specific client:
wlan.addr == 00:00:e8:4e:5f:8e
In remote capture mode, traffic is sent to the computer running Wireshark through one of the network interfaces. Depending on the location of the Wireshark tool, the traffic can be sent on an Ethernet interface or one of the radios. To avoid a traffic flood caused by tracing the packets, the WAP device automatically installs a capture filter to filter out all packets destined to the Wireshark application. For example, if the Wireshark IP port is configured to be 58000, then this capture filter is automatically installed on the WAP device:
Due to performance and security issues, the packet capture mode is not saved in NVRAM on the WAP device; if the WAP device resets, the capture mode is disabled and then you must reenable it to resume capturing traffic. Packet capture parameters (other than mode) are saved in NVRAM.
Enabling the packet capture feature can create a security issue: Unauthorized clients may be able to connect to the WAP device and trace user data. The performance of the WAP device also is negatively impacted during packet capture, and this impact continues to a lesser extent even when there is no active Wireshark session. To minimize the performance impact on the WAP device during traffic capture, install capture filters to limit which traffic is sent to the Wireshark tool. When capturing 802.11 traffic, a large portion of the captured frames tends to be beacons (typically sent every 100 ms by all APs). Although Wireshark supports a display filter for beacon frames, it does not support a capture filter to prevent the WAP device from forwarding captured beacon packets to the Wireshark tool. To reduce the performance impact of capturing the 802.11 beacons, disable the capture beacons mode.
You can download a capture file by TFTP to a configured TFTP server, or by HTTP(S) to a computer. The capture file is located in the RAM file system, it disappears if the WAP device is reset.
Downloading a Packet Capture File Using TFTP
To download a packet capture file using TFTP:
1. Select Use TFTP to download the capture file.
2. Enter the TFTP Server Filename to download if different from the default. By default, the captured packets are stored in the folder file /tmp/apcapture.pcap on the WAP device.
3. Specify a TFTP Server IPv4 Address in the field provided.
Downloading a Packet Capture File Using HTTP
To download a packet capture file using HTTP:
1. Clear Use TFTP to download the captured file.
2. Click Download. A confirmation window appears.
3. Click OK. A dialog box displays that enables you to choose a network location to save the file.