Cisco’s approach for wireless remote packet capture limited to change of the AP mode into the sniffer mode. The big disadvantage of that is that Cisco AP either works in local/FlexConnect mode serving the mobile clients or sniffer mode capturing the traffic and not both at the same time.
In firmware 7.4 Cisco introduced per client packet capture.
There are a few restrictions:
- Only one mobile client’s MAC address can be captured per 1 x AP.
- If roaming events were to be captured, the commands need to be entered for 2 or more APs separately for a reproduction of the issue. Knowledge, where the mobile client roams, is required for proper packet capture and analysis.
- An FTP server has to be available on the network.
Link to the Cisco WLC Configuration Guide 7.4 can be found here.
Few things need to be configured:
- FTP server details on Windows Server in my lab:
(Cisco Controller) >config ap packet-dump ftp serverip 192.168.7.45 path 1\ username user password username
- Buffer size:
(Cisco Controller) >config ap packet-dump buffer-size 2048
- Capture length in minutes:
(Cisco Controller) >config ap packet-dump capture-time 15
- Types of frames/packets for capture. By default all types are disabled.
(Cisco Controller) >config ap packet-dump classifier ? arp Capture ARP Packets broadcast Capture Broadcast Packets control Capture 802.11 Control Packets data Capture 802.11 Data Packets dot1x Capture Dot1x Packets iapp Capture IAPP Packets ip Capture IP Packets management Capture 802.11 Management Packets multicast Capture Multicast Packets tcp Capture TCP packets udp Capture UDP packets (Cisco Controller) >config ap packet-dump classifier management enable (Cisco Controller) >config ap packet-dump classifier control enable (Cisco Controller) >config ap packet-dump classifier data enable
- Optionally packet length after truncation:
(Cisco Controller) >config ap packet-dump truncate 1500
There is a command show ap packet-dump status for verification of settings:
(Cisco Controller) >show ap packet-dump status Packet Capture Status............................ Stopped FTP Server IP Address............................ 192.168.7.45 FTP Server Path.................................. 1\ FTP Server Username.............................. user FTP Server Password.............................. ******** Buffer Size for Capture.......................... 2048 KB Packet Capture Time.............................. 15 Minutes Packet Truncate Length........................... 1500 Bytes Packet Capture Classifier........................ 802.11 Management Packet Capture Classifier........................ 802.11 Data Packet Capture Classifier........................ 802.11 Control
To start the packet capture for the mobile client with MAC address cc:44:63:1b:2d:fa on the AP1:
(Cisco Controller) >config ap packet-dump start cc:44:63:1b:2d:fa AP1 Client Mac Address............................... cc:44:63:1b:2d:fa FTP Server IP.................................... 192.168.7.45 FTP Server Path.................................. 1\ FTP Server Username.............................. user Buffer Size for Capture.......................... 2048 KB Packet Capture Time.............................. 15 Minutes Packet Truncate Length........................... 1500 Bytes Packet Capture Classifier........................ 802.11 Management Packet Capture Classifier........................ 802.11 Data Packet Capture Classifier........................ 802.11 Control Are you sure you want to start capture ? (y/N) y
The mobile client doesn’t have to be associated with any of the related APs. For replication of the problem, next APs may be configured and the feature may be started. When related packets were already captured, we can stop the process with:
(Cisco Controller) >config ap packet-dump stop
The file has been created on FTP server: AP1WLC02012019_194302.pcap
Example from the capture:
There are missing control frames, however, management and data frames are shown and may lead to analysis and conclusions.
Introducing this feature, Cisco allowed capturing packets while the AP serves the mobile clients. This can save costs because on the first try the remote capture can be taken while the problem reproduced without dispatching a wireless network engineer with proper tools for on-site packet capture.