Reset Search



How to use Real Capture to capture wireless and wired traces from an ExtremeWireless Access Point

« Go Back


TitleHow to use Real Capture to capture wireless and wired traces from an ExtremeWireless Access Point
How to use Real Capture to capture wireless and wired traces from an ExtremeWireless Access Point.
  • ExtremeWireless
  • IdentiFi
  • AP-36xx and above
  • Firmware Revisions 8.01 or higher.
  • Real Capture
  • Sniffer
  • Trace Collection
Required equipment:
  • Access Point
  • WireShark
Real Capture for wireless traffic capture can be configured on all access point models. 
  1. Identify the suspect Access Point in the Controller GUI interface
  2. Note that access point's IP from it's Static Configuration
  3. Go to the Advanced tab under AP Properties of the AP
  4. Set preferred duration of traffic capture (default is 300 seconds)
  5. Click Start 
  6. Open WireShark interface (1.6.x and higher) and click on Capture and then Options
  7. Change the interface tab to remote, then click "Add" ("+" button in lower left corner)
  8. Note the IP of the suspect AP as the host to be captured in the Host box (leave the port box blank or add 2002, does not matter)  Also note that the AP must be directly reachable from the PC running Wireshark.
  9. If you want to capture the wired port, make sure eth0 is checked off. If you want to capture the radio (air) that the test client is on, check off wifi0 for Radio 1, or wifi1 for Radio 2. You can only have 1 box checked off for the capture. To determine what radio the test client is on, please view and locate the test client in one of the reports on the wireless controller such as "Clients by VNS".
  10. Configure any other parameters desired, such as duration, filters or buffers
  11. Start the packet capture
  12. Begin the test packet transmission on the suspect device
  13. End the packet capture upon completion of transmission and save the trace for further analysis.

The capture on wifi0 and wifi1 will not include internally generated hardware packets by the capturing AP. The capturing AP will not report its own Beacons, Re-transmission, Acks and 11n Block Ack. If this information is needed, then the real capture should be done from a close-by second AP. Change that second AP's wireless channel to match the AP that is being troubleshot. Let it broadcast an SSID so the radios switch on but do not broadcast the same SSID you are troubleshooting so that clients do not connect to your second capturing AP.

In order to capture NULL and QOS_NULL packets with WireShark, do not set any Capture Filters and also disable "Do not capture own RPCAP traffic" in Remote Settings. In v1.12.3 or above this option should be used on wireless captures every time you take a trace. It is found by going to Capture --> Option --> Double Click Interface Row --> Remote Settings.

User-added image
 To view the image in a larger format, right mouse click on the image and select open in a new tab. 

Additional notes
Related Hub Thread:
If a Macbook or Macbook Air is handy, you can take promiscuous WiFi captures with an application called
How to capture wireless traces from a Macbook or MacAir




Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255