Configure AP Packet Capture on Catalyst 9800 Wireless Controllers

Introduction

This document describes how to use the Access Point (AP) Packet Capture feature.

Background Information

AP Packet Capture feature allows you to perform packet captures over the air with little effort. When the feature is enabled, a copy of all the specified wireless packets and frames sent and received from/to APs from/to a specific wireless mac address over the air, is forwarded to a File Transfer Protocol(FTP) server, where you can download it as .pcap file and open it with your preferred packet analysis tool.

Once the packet capture is started, the AP where the client is associated to, creates a new .pcap file on the FTP server (ensure the username specified for FTP login has write rights). If the client roams, the new AP creates a new .pcap file on the FTP server. If the client moves between Service Set Identifiers (SSIDs), the AP does keep the packet capture alive so you can see all the management frames when the client associates to the new SSID.

If you make the capture on an open SSID (no security), you are able to see content of the data packets but if the client is associated to a secured SSID (a password protected SSID or 802.1x security) then the data portion of the data packets is encrypted and cannot be seen in clear text. 

Feature is only available for IOS APs (Like AP 3702).

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• Command line Interface (CLI) or Graphic User Interface (GUI) access to the wireless controllers.
• FTP server
• .pcap files

Components Used

• 9800 WLC v16.10
• AP 3700
• FTP server

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Configuration

Network Diagram

Configurations

Prior the configuration, check which would be the APs to which the wireless client could connect.

Step 1. Verify the current Site tag associated to the APs that the wireless client could use to connect.

GUI:

Navigate to Configuration > Wireless > Access Points 

CLI:

# show ap tag summary | inc 3702-02

3702-02 f07f.06e1.9ea0 default-site-tag default-policy-tag default-rf-tag No Default

Step 2. Check the AP Join Profile associated to that Site Tag

GUI: 

Navigate to Configuration > Tags & Profiles > Tags > Site > Site Tag Name

Take note of the AP Join Profile associated

CLI:

# show wireless tag site detailed default-site-tag

Site Tag Name : default-site-tag
Description : default site tag
----------------------------------------
AP Profile : default-ap-profile
Local-site : Yes
Image Download Profile: default-me-image-download-profile

Step 3. Add the Packet Capture settings on the AP Join profile

GUI:

Navigate to Configuration > Tags & Profiles > AP Join > AP Join Profile Name > AP > Packet Capture and add a new AP Packet Capture Profile.

Select a Name for the Packet Capture Profile, enter the FTP server details to which the APs send the packet capture. Also ensure you select the kind of packets that you want to monitor.

Buffer Size = 1024-4096

Duration = 1-60

Once the Capture profile is saved, click on Update & Apply to Device.

CLI:

# config t
# wireless profile ap packet-capture Capture-all
# classifier arp
# classifier broadcast
# classifier data
# classifier dot1x
# classifier iapp
# classifier ip
# classifier tcp
# ftp password 0 backup
# ftp path /home/backup
# ftp serverip 172.16.0.6
# ftp username backup
# exit
 
# ap profile default-ap-profile
# packet-capture Capture-all
# end

# show wireless profile ap packet-capture detailed Capture-all

Profile Name : Capture-all
Description  :
---------------------------------------------------
Buffer Size       : 2048 KB
Capture Duration  : 10 Minutes
Truncate Length   : packet length
FTP Server IP     : 172.16.0.6
FTP path          : /home/backup
FTP Username      : backup

Packet Classifiers
  802.11 Control  : Enabled
  802.11 Mgmt     : Enabled
  802.11 Data     : Enabled
  Dot1x           : Enabled
  ARP             : Enabled
  IAPP            : Enabled
  IP              : Enabled
  TCP             : Enabled
  TCP port        : all
  UDP             : Disabled
  UDP port        : all
  Broadcast       : Enabled
  Multicast       : Disabled

Step 4. Ensure that the wireless client that you want to monitor is already associated to any of the SSIDs and to one of the APs that has assigned the Tag where the AP join profile with the packet capture settings were assigned, otherwise the capture cannot be started.

Tip: If you wish to troubleshoot the reason why a client is not able to connect to an SSID then you could connect to an SSID that works fine and then roam to the failing SSID, the capture follows the client and captures all its activity.

GUI:

Navigate to Monitoring > Wireless > Clients 

CLI:

# show wireless client summary | inc e4b3.187c.3058

e4b3.187c.3058 3702-02 3 Run 11ac 

Step 5. Start the Capture

GUI:

Navigate to Troubleshooting > AP Packet Capture

Enter the mac address of the client that you want to monitor and select the Capture Mode. Auto means that every AP to which the wireless client connects, creates a new .pcap file automatically. Static lets you choose one specific AP to monitor the wireless client.

Start the capture with Start.

Then you can see the current state of the capture:

CLI:

# ap packet-capture start <E4B3.187C.3058> auto

 Step 6. Stop the capture

Once the desired behavior has been captured, stop the capture either by GUI or CLI:

GUI:

CLI:

# ap packet-capture stop <E4B3.187C.3058> all

Step 7. Collect the .pcap file from the FTP server

You should find a file with a name as <ap-name><9800-wlc-name>-<##-file><day><month><year>_<hour><minute><second>.pcap

Step 8. You can open the file with your preferred packet analysis tool.

 Verify

You can use these commands to verify the configuration of the packet capture feature.

# show ap status packet-capture

Number of Clients with packet capture started : 1

Client MAC      Duration(secs)   Site tag name            Capture Mode
-------------------------------------------------------------------------
e4b3.187c.3058  600              default-site-tag         auto

# show ap status packet-capture detailed e4b3.187c.3058

Client MAC Address    : e4b3.187c.3058
Packet Capture Mode   : auto
Capture Duration      : 600 seconds
Packet Capture Site   : default-site-tag

Access Points with status
AP Name                   AP MAC Addr     Status
----------------------------------------------------
APf07f.06e1.9ea0          f07f.06ee.f590  Started

Troubleshoot

You can follow these steps to troubleshoot this feature:

Step 1. Enable debug condition

# set platform software trace wireless chassis active R0 wncmgrd all-modules debug

Step 2. Reproduce the behavior

Step 3. Check the current controller's time to be able to track the logs in time

# show clock

Step 4. Collect the logs

# show logging process wncmgrd internal | inc ap-packet-capture

Step 5. Set back the logs condition to defaults.

# set platform software trace wireless chassis active R0 wncmgrd all-modules notice

Note: It is very important that after a troubleshooting session you set back the logs levels to avoid the generation of unnecessary logs.