August 27, 2013 Leave a comment
The packets don’t lie. Any CWAP will tell you that. They’re the foundation of what we do in networking and one of the most troublesome things to get your hands on at times. One of the most significant challenges is that you rarely get to capture the ‘radio view’ of your packets. It’s usually a conversation about getting close enough to a radio, or putting an adapter or radio into promiscuous or sniffer mode and listening to what you can hear – this has always seemed somewhat ‘best effort’ to me since there’s always a small chance you’re not listening at the time that a packet is on the air. Wouldn’t it be much better to just have a copy of the packets that hit your Access Points radio interface just copied off somewhere for you to explore at your leisure? That way you have an honest view of what the actual infrastructure is either sending or receiving. Well, that’s exactly what Motorola allows us to do with a superbly easy to use, yet very powerful feature of their Wi-NG 5 Operating System. Once you have a radio up in Wi-NG 5, you can telnet/SSH to the Access Point and use the service pktcap command to capture your packets – while servicing clients!
In order to explore this feature, we need to know what we want to capture (1 client, all packets, arp traffic, etc), how much we want to capture (x number of packets), what direction we want to capture the packets (inbound, outbound, both), and where we want to save the packets to (terminal buffer to look at them, tftp, tzsp, etc). There are far more features that I’m glossing over for the sake of brevity, but this short look should be enough to get even the newest person up to speed! In my example, I want to capture the next 100 packets of all traffic that comes into all radios and I want to save it off to a tftp server.
ap6521-E3BEF4#service pktcap on radio all count 100 direction any write tftp://192.168.3.10/motorola.cap Capturing up to 100 packets. Use Ctrl-C to abort. 100 ap6521-E3BEF4#
Let’s dissect this command:
service pktcap on radio all
This tells the Access Point to start a packet capture on all radio interfaces and is the first component of ‘where to capture’ the packets from. You would usually pick a singular radio by using the numeric index (1 through 1024) or just leave it at all for seeing all packets in the air.
This tells the packet capture service to capture the next 100 packets and can be 1 to 1000000 packets.
Tells the packet capture service to capture inbound, outbound, or packets in both direction (coming into or leaving the radio).
Tells the packet capture service to copy the capture file out to my tftp server (192.168.3.10 in this case – expect yours to be different) and what to name the file (motorola.cap in this case). You can followup this command with a filter keyword to select type of traffic, src, dst, and a whole host of other options to pare down your capture.
Once you’ve captured the file, get it off of your tftp server in whatever way pleases you best (I run samba on my tftp server and can do a direct network neighborhood browse for it) and double click it. If you have wireshark or OmniPeek installed, it should open up into the default view for the packet analyzer and start showing you packets!
In all, a very elegant way to get packets out of your Access Points. These are the packets of your clients and the ability to capture them live off of your infrastructure (similar to a wired span port) is an invaluable feature when troubleshooting.
Full disclosure: As a delegate for Wireless Field Day 4 and 5, Motorola gave me an AP6521 and an AP6522 without commitment to comment or blog. If you want to know more about the Motorola wireless portfolio, you should follow @MotWireless on twitter!