Close

[ArubaOS 6.3] New Packet Capture Functionality in ArubaOS 6.3

By Colin Joseph, Blog Contributor
Share Post

The Aruba controller has had built-in packet capture functionality since day one. It supports streaming traffic to a host or saving a packet capture (.pcap) file to the controller for later analysis. The packet capture in ArubaOS 6.3 adds the capability to decide whether you want to capture a client's encrypted, or decrypted traffic, or both. It also adds the ability to see a tcpdump-style output of captured traffic from the controller without having to open a dedicated program to see a packet capture. Here is a demonstration:

Check to see if anything is being captured:

(3600-Controller) #show packet-capture  Active Capture Destination -------------------------- Destination    Local-Filesystem   Active Capture (Controlpath) ---------------------------- Interprocess   Disabled    Sysmsg         Disabled    TCP            Disabled    UDP            Disabled    Other          Disabled      Active Capture (Datapath) ------------------------- Wifi-Client    Disabled    Ipsec          Disabled     

 Next, I want to make sure that the data path packet capture buffer is zeroed out:

(3600-Controller) #packet-capture reset-pcap datapath-pcap

 Then I want to start a packet capture of a client's decrypted traffic, because I have a connectivity issue that I want to debug:

(192.168.1.3) #packet-capture datapath wifi-client e8:99:c4:92:c9:5b ? all                     Capture both decrypted and encrypted packets decrypted               Capture decrypted packets only encrypted               Capture encrypted packets only  (192.168.1.3) #packet-capture datapath wifi-client e8:99:c4:92:c9:5b decrypted

 After generating traffic with the client, I want to take a look at and analyze the traffic without having to open another program, so I will use the "show packet-capture datapath-pcap" command.  I could have also done a "tar logs tech-support" from the commandline or the GUI and the datapath.pcap file of the packet capture would be waiting for me in that file.  

Let me see what is in the packet capture from the commandline:

(192.168.1.3) #show packet-capture datapath-pcap   04:43:13.698113 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from e8:99:c4:92:c9:5b, length 314  [DHCP FROM MY CLIENT] 04:43:13.728016 IP 192.168.1.254.67 > 192.168.1.96.68: BOOTP/DHCP, Reply, length 305 [DHCP REPLY FROM MY DHCP SERVER] 04:43:14.230764 arp who-has 192.168.1.254 tell 192.168.1.96  [ARP for my default gateway] 04:43:14.231593 arp reply 192.168.1.254 is-at 74:9d:dc:4b:08:41 [ARP reply from my default gateway] 04:43:14.234381 IP 192.168.1.96.2679 > 192.168.1.254.53:  11571+ A? www.google.com. (32) [Resolving www.google.com at my dns server] 04:43:14.265353 IP 192.168.1.254.53 > 192.168.1.96.2679:  11571 5/0/0 A 74.125.227.147, A 74.125.227.145, A 74.125.227.144, A 74.125.227.146, A 74.125.227.148 (112) [My dns server responding with dns records for www.google.com] 04:43:14.269594 IP 192.168.1.96.47064 > 74.125.227.147.80: S 3401926063:3401926063(0) win 65535  [my client opening www.google.com on port 80 on the ip address returned from dns server] 04:43:14.270227 IP 74.125.227.147.80 > 192.168.1.96.47064: S 3020078374:3020078374(0) ack 3401926064 win 5792  [www.google.com responding to the http request] 

 That is just a shortened view of the tcpdump-style output for that client.

There are more features in packet capturing in ArubaOS 6.3,  and this is just an example of how you can be more productive doing packet captures in ArubaOS 6.3.   You don't have to open a separate packet capture program.  Since the packet capture is centralized, you can also do things that were once tricky before like capturing traffic of roaming clients and capturing decrypted traffic (used to need an ACL in a role to do that).

In short, this just another tool that Aruba has improved in ArubaOS 6.3.