Cisco per-client packet capture

Cisco’s approach for wireless remote packet capture limited to change of the AP mode into the sniffer mode. The big disadvantage of that is that Cisco AP either works in local/FlexConnect mode serving the mobile clients or sniffer mode capturing the traffic and not both at the same time.

In firmware 7.4 Cisco introduced per client packet capture.

There are a few restrictions:

  • Only one mobile client’s MAC address can be captured per 1 x AP.
  • If roaming events were to be captured, the commands need to be entered for 2 or more APs separately for a reproduction of the issue. Knowledge, where the mobile client roams, is required for proper packet capture and analysis.
  • An FTP server has to be available on the network.

Link to the Cisco WLC Configuration Guide 7.4 can be found here.

Few things need to be configured:

  1. FTP server details on Windows Server in my lab:
    (Cisco Controller) >config ap packet-dump ftp serverip 192.168.7.45 path 1\ username user password username
  2. Buffer size:
    (Cisco Controller) >config ap packet-dump buffer-size 2048 
  3.  Capture length in minutes:
    (Cisco Controller) >config ap packet-dump capture-time 15
  4. Types of frames/packets for capture. By default all types are disabled.
    (Cisco Controller) >config ap packet-dump classifier ?
    
    arp            Capture ARP Packets
    broadcast      Capture Broadcast Packets
    control        Capture 802.11 Control Packets
    data           Capture 802.11 Data Packets
    dot1x          Capture Dot1x Packets
    iapp           Capture IAPP Packets
    ip             Capture IP Packets
    management     Capture 802.11 Management Packets
    multicast      Capture Multicast Packets
    tcp            Capture TCP packets
    udp            Capture UDP packets
    
    (Cisco Controller) >config ap packet-dump classifier management enable 
    (Cisco Controller) >config ap packet-dump classifier control enable 
    (Cisco Controller) >config ap packet-dump classifier data enable

  5. Optionally packet length after truncation:
    (Cisco Controller) >config ap packet-dump truncate 1500

 

There is a command show ap packet-dump status for verification of settings:

(Cisco Controller) >show ap packet-dump status

Packet Capture Status............................ Stopped
FTP Server IP Address............................ 192.168.7.45
FTP Server Path.................................. 1\
FTP Server Username.............................. user
FTP Server Password.............................. ********
Buffer Size for Capture.......................... 2048 KB
Packet Capture Time.............................. 15 Minutes
Packet Truncate Length........................... 1500 Bytes
Packet Capture Classifier........................ 802.11 Management
Packet Capture Classifier........................ 802.11 Data
Packet Capture Classifier........................ 802.11 Control

 

To start the packet capture for the mobile client with MAC address cc:44:63:1b:2d:fa on the AP1:

(Cisco Controller) >config ap packet-dump start cc:44:63:1b:2d:fa AP1

Client Mac Address............................... cc:44:63:1b:2d:fa
FTP Server IP.................................... 192.168.7.45
FTP Server Path.................................. 1\
FTP Server Username.............................. user
Buffer Size for Capture.......................... 2048 KB
Packet Capture Time.............................. 15 Minutes
Packet Truncate Length........................... 1500 Bytes
Packet Capture Classifier........................ 802.11 Management
Packet Capture Classifier........................ 802.11 Data
Packet Capture Classifier........................ 802.11 Control

Are you sure you want to start capture ? (y/N) y

 

The mobile client doesn’t have to be associated with any of the related APs. For replication of the problem, next APs may be configured and the feature may be started. When related packets were already captured, we can stop the process with:

(Cisco Controller) >config ap packet-dump stop 

The file has been created on FTP server: AP1WLC02012019_194302.pcap

Example from the capture:

1.png

There are missing control frames, however, management and data frames are shown and may lead to analysis and conclusions.

Introducing this feature, Cisco allowed capturing packets while the AP serves the mobile clients. This can save costs because on the first try the remote capture can be taken while the problem reproduced without dispatching a wireless network engineer with proper tools for on-site packet capture.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s