Sometimes, you just want to capture the packets associated with a particular wireless client and see what the heck is going on with that client. Often, it may not be practical to do an over-the-air packet capture, as perhaps the client is at a remote location or just just don’t have access to a wireless capture card.
I recently had an issue trying to understand why an Android device that I was trying to ‘on-board’ using Cisco’s ISE wouldn’t access the Google Play store. I desperately wanted to capture the over-the-air frames from the client to have a look at what the client was doing.
After a quick ‘Google’ around, I found an intriguing set of Cisco WLC CLI commands that allow a packet capture of traffic for a wireless client. This can all be done without having to change the AP mode, or reboot the AP etc.
In summary, the feature allows packets to be captured for a specified wireless client that is sending/receiving traffic to/from an AP. The AP will continue to process all user traffic as per usual, with the target client frames being streamed to an FTP server for a specified period. The resultant capture file is in standard pcap format that can be opened with Wireshark (amongst others).
1. Identify the client MAC address you would like to capture
2. Identify the FTP server to receive the trace file:
config ap packet-dump ftp serverip
3. Configure the frames to be captured – data frames worked well for me:
config ap packet-dump classifier data enable
4. Start the client packet capture for the target client:
config ap packet-dump start
5 After a while, you can stop the capture sessions and see what you’ve got: (note that by default, the capture session stops after 10 mins)
config ap packet-dump stop
(The FTP server may not show any frames captured until you stop the capture and it empties out its buffer)
There are a few caveats to this capture technique, but it is still a very powerful tool to add to your WiFi utility belt. Caveats include:
More info is here