Cisco WLC: Per-client Packet Capture
Sometimes, you just want to capture the packets associated with a particular wireless client and see what the heck is going on with that client. Often, it may not be practical to do an over-the-air packet capture, as perhaps the client is at a remote location or just just don't have access to a wireless capture card.
I recently had an issue trying to understand why an Android device that I was trying to 'on-board' using Cisco's ISE wouldn't access the Google Play store. I desperately wanted to capture the over-the-air frames from the client to have a look at what the client was doing.
After a quick 'Google' around, I found an intriguing set of Cisco WLC CLI commands that allow a packet capture of traffic for a wireless client. This can all be done without having to change the AP mode, or reboot the AP etc.
In summary, the feature allows packets to be captured for a specified wireless client that is sending/receiving traffic to/from an AP. The AP will continue to process all user traffic as per usual, with the target client frames being streamed to an FTP server for a specified period. The resultant capture file is in standard pcap format that can be opened with Wireshark (amongst others).
The feature looks like it became available from WLC code 7.4 - full details can be found at the following URL : http://bit.ly/wlc-pkt-capture
In summary, the following work-flow worked pretty well for me:
- Identify the client MAC address you would like to capture
- Identify the FTP server to receive the trace file:
config ap packet-dump ftp serverip <ip-address> path <path> username <user_ID> password <password> - Configure the frames to be captured - data frames worked well for me:
config ap packet-dump classifier data enable
(don't try to capture without specifying a classifier, as you capture nothing - I tried it...) - Start the client packet capture for the target client:
config ap packet-dump start <client-mac-address> - After a while, you can stop the capture sessions and see what you've got: (note that by default, the capture session stops after 10 mins)
config ap packet-dump stop
(note that the FTP server may not show any frames captured until you stop the capture and it empties out its buffer)
There are a few caveats to this capture technique, but it is still a very powerful tool to add to your WiFi utility belt. Caveats include:
- beacons and probe responses are not captured
- the client must be associated with an AP joined to the WLC
- only frames for one client at a time can be captured
- does not work from inter-controller roaming
Here are all of the commands for your reference (taken from the Cisco configuration guide):
- Configure FTP parameters for packet capture by entering this command:
config ap packet-dump ftp serverip ip-address path path username user_ID password password
- Start or stop packet capture by entering this command:
config ap packet-dump {start client-mac-address ap-name | stop} - Configure the buffer size for packet capture by entering this command:
config ap packet-dump buffer-size size-in-kb - Configure the time for packet capture by entering this command:
config ap packet-dump capture-time time-in-minutes
(The valid range is between 1 to 60 minutes.) - Configure the types of packets to be captured by entering this command:
config ap packet-dump classifier {arp | broadcast | control | data | dot1x | iapp | ip | management | multicast | {tcp port port-number} | {udp port port-number}} {enable | disable} - Configure the packet length after truncation by entering this command:
config ap packet-dump truncate length-in-bytes - Know the status of packet capture by entering this command:
show ap packet-dump status - Configure debugging of packet capture by entering this command:
debug ap packet-dump {enable | disable}