The Aruba controller has had built-in packet capture functionality since day one. It supports streaming traffic to a host or saving a packet capture (.pcap) file to the controller for later analysis. The packet capture in ArubaOS 6.3 adds the capability to decide whether you want to capture a client's encrypted, or decrypted traffic, or both. It also adds the ability to see a tcpdump-style output of captured traffic from the controller without having to open a dedicated program to see a packet capture. Here is a demonstration:
Check to see if anything is being captured:
(3600-Controller) #show packet-capture Active Capture Destination -------------------------- Destination Local-Filesystem Active Capture (Controlpath) ---------------------------- Interprocess Disabled Sysmsg Disabled TCP Disabled UDP Disabled Other Disabled Active Capture (Datapath) ------------------------- Wifi-Client Disabled Ipsec Disabled
Next, I want to make sure that the data path packet capture buffer is zeroed out:
(3600-Controller) #packet-capture reset-pcap datapath-pcap
Then I want to start a packet capture of a client's decrypted traffic, because I have a connectivity issue that I want to debug:
(192.168.1.3)#数据包 - 捕获数据路径WiFi-Client E8:99:C4:92:C9:5B?所有捕获的解密和加密数据包解密捕获解密数据包仅加密捕获加密数据包(192.168.1.3)#packet-capture datapath wifi-client e8:99:C4:92:C9:5B解密
After generating traffic with the client, I want to take a look at and analyze the traffic without having to open another program, so I will use the "show packet-capture datapath-pcap" command. I could have also done a "tar logs tech-support" from the commandline or the GUI and the datapath.pcap file of the packet capture would be waiting for me in that file.
Let me see what is in the packet capture from the commandline:
(192.168.1.3) #show packet-capture datapath-pcap 04:43:13.698113 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from e8:99:c4:92:c9:5b, length 314 [DHCP FROM MY CLIENT] 04:43:13.728016 IP 192.168.1.254.67 > 192.168.1.96.68: BOOTP/DHCP, Reply, length 305 [DHCP REPLY FROM MY DHCP SERVER] 04:43:14.230764 arp who-has 192.168.1.254 tell 192.168.1.96 [ARP for my default gateway] 04:43:14.231593 arp reply 192.168.1.254 is-at 74:9d:dc:4b:08:41 [ARP reply from my default gateway] 04:43:14.234381 IP 192.168.1.96.2679 > 192.168.1.254.53: 11571+ A?www.google.com.(32) [Resolvingwww.google.comat my dns server] 04:43:14.265353 IP 192.168.1.254.53 > 192.168.1.96.2679: 11571 5/0/0 A 74.125.227.147, A 74.125.227.145, A 74.125.227.144, A 74.125.227.146, A 74.125.227.148 (112) [My dns server responding with dns records forwww.google.com] 04:43:14.269594 IP 192.168.1.96.47064 > 74.125.227.147.80: S 3401926063:3401926063(0) win 65535[my client openingwww.google.comon port 80 on the ip address returned from dns server] 04:43:14.270227 IP 74.125.227.147.80 > 192.168.1.96.47064: S 3020078374:3020078374(0) ack 3401926064 win 5792 [www.google.comresponding to the http request]
That is just a shortened view of the tcpdump-style output for that client.
There are more features in packet capturing in ArubaOS 6.3, and this is just an example of how you can be more productive doing packet captures in ArubaOS 6.3. You don't have to open a separate packet capture program. Since the packet capture is centralized, you can also do things that were once tricky before like capturing traffic of roaming clients and capturing decrypted traffic (used to need an ACL in a role to do that).
我n short, this just another tool that Aruba has improved in ArubaOS 6.3.
