Real Capture for wireless traffic capture can be configured on all access point models.
The capture on wifi0 and wifi1 will not include internally generated hardware packets by the capturing AP. The capturing AP will not report its own Beacons, Re-transmission, Acks and 11n Block Ack. If this information is needed, then the real capture should be done from a close-by second AP. Change that second AP's wireless channel to match the AP that is being troubleshot. Let it broadcast an SSID so the radios switch on but do not broadcast the same SSID you are troubleshooting so that clients do not connect to your second capturing AP.
- Identify the suspect Access Point in the Controller GUI interface
- Note that access point's IP from it's Static Configuration
- Go to the Advanced tab under AP Properties of the AP
- Set preferred duration of traffic capture (default is 300 seconds)
- Click Start
- Open WireShark interface (1.6.x and higher) and click on Capture and then Options
- Change the interface tab to remote, then click "Add" ("+" button in lower left corner)
- Note the IP of the suspect AP as the host to be captured in the Host box (leave the port box blank or add 2002, does not matter) Also note that the AP must be directly reachable from the PC running Wireshark.
- If you want to capture the wired port, make sure eth0 is checked off. If you want to capture the radio (air) that the test client is on, check off wifi0 for Radio 1, or wifi1 for Radio 2. You can only have 1 box checked off for the capture. To determine what radio the test client is on, please view and locate the test client in one of the reports on the wireless controller such as "Clients by VNS".
- Configure any other parameters desired, such as duration, filters or buffers
- Start the packet capture
- Begin the test packet transmission on the suspect device
- End the packet capture upon completion of transmission and save the trace for further analysis.
In order to capture NULL and QOS_NULL packets with WireShark, do not set any Capture Filters and also disable "Do not capture own RPCAP traffic" in Remote Settings. In v1.12.3 or above this option should be used on wireless captures every time you take a trace. It is found by going to Capture --> Option --> Double Click Interface Row --> Remote Settings.
To view the image in a larger format, right mouse click on the image and select open in a new tab.