Does Aerohive support Air monitor mode?

  • 1
  • Question
  • Updated 4 years ago
  • Answered
In Aruba, you can configure AP to function as an Air Monitor (sniff all wifi packets in air even if AP is not the destination, also AP is not visible to devices). Does Aerohive support this mode? I have AP121 and i want to sniff packets locally in Air monitor. does any one have any idea?
Photo of ahmed

ahmed

  • 10 Posts
  • 0 Reply Likes
  • confused

Posted 4 years ago

  • 1
Photo of Gary Smith

Gary Smith, Official Rep

  • 299 Posts
  • 61 Reply Likes

Hi Ahmed,

I took the following instruction from the Help Guide.

Remote Packet Sniffer

(This option is unavailable on Aerohive switches.) You can configure a device to accept connections from remote Wireshark packet sniffers to capture packets for troubleshooting network issues. The system from which you intend to perform packet sniffing must be running Windows and have Wireshark, a free packet analyzer, already installed. The following steps explain how to use HiveManager and the CLI to configure a device to permit packet sniffing, how to configure Wireshark to connect to the remote device to capture packets and then view the packet contents in detail.

Configuring the Device

Enter the following to configure a device to accept connection requests from a device running Wireshark:

  1. Click Configuration > All Devices > device > Utilities > Diagnostics > Remote Sniffer.

or

Click Monitor > All Devices > device > Utilities > Diagnostics > Remote Sniffer.


  1. In the Remote Sniffer dialog box that appears, enter the following, and then click Save:

Enable remote sniffer: (select)

User Name: Enter the same user name here that Wireshark submits when connecting to the device.

Password: Enter the same password that Wireshark submits when connecting to the device.

Port: Enter the port number on which the device listens for connection attempts from remote packet sniffers.

Sniffer Host Name/IP Address: Enter the IP address or domain name from which the device allows connections for packet sniffing.

Enable WiFi interfaces to operate in promiscuous mode when packet capturing: Select if you want the WiFi interfaces to operate in promiscuous mode during packet capturing. (When an interface operates in promiscuous mode, it processes all traffic it receives rather than only the frames addressed to it. Note that this increased level of processing will increase the CPU load and might negatively affect performance. By default, promiscuous mode is disabled.)


Configuring Wireshark

Enter the following to configure Wireshark so that it can connect to the device and begin packet sniffing:

  1. Click Start > All Programs > Wireshark > Capture > Options.
  2. In the Wireshark Capture Options dialog box that appears, enter the following, and then click Start:

Interface: Remote

In the Wireshark Remote Interface dialog box that appears, enter the following, and then click OK:

Host: Enter the IP address of the device.

Port: Enter the port number on which the device listens for remote sniffers to connect to it. This must be the same port number that you previously set on the device.

Password authentication: (select)

Username: Enter the user name that Wireshark submits when connecting to the device.

Password: Enter the password that Wireshark submits when connecting to the device.



Interface: From the interface drop-down list, choose the interface that you want to sniff:

rpcap://[<ip_addr>]:<port>/eth0sniffer

rpcap://[<ip_addr>]:<port>/eth1sniffer

rpcap://[<ip_addr>]:<port>/wifi0sniffer

rpcap://[<ip_addr>]:<port>/wifi1sniffer

  • Only the AP300 series has dual Ethernet interfaces and the AP110 can use only one wifi interface at a time.


  1. After you click Start, summaries of the captured packets begin appearing in the Wireshark packet list pane. Click a particular packet summary to view its contents in the packet details pane. You can then expand various sections of the packet to drill down to see contents of the selected section in detail.

Stopping Remote Packet Sniffing

To stop packet sniffing in Wireshark, click Capture > Stop.

To disable the support of remote packet sniffing on a device through HiveManager, do either of the following:

Click Configuration > All Devices >  device > Utilities > Diagnostics > Remote Sniffer, clear Enable remote sniffer, and then click Save.

or

Click Monitor > All Devices >  device > Utilities > Diagnostics > Remote Sniffer, clear Enable remote sniffer, and then click Save.


Kind Regards,
Gary Smith
Photo of ahmed

ahmed

  • 10 Posts
  • 0 Reply Likes
Thanks Gary for your fast reply. i have done the above steps but the following appears when trying to connect with wireshark:
"Can't get list of interfaces. The host is not in the allowed host list. Connection refused."

The following is my structure:
1- Aerohive AP with static ip 81.85.190.116 gateway 81.85.190.113 configured with remote sniffer as below:
exec capture remote-sniffer user <admin> <pass> host-allowed <81.85.190.120> local-port 5554 promiscuous
2- Router with static ip 81.85.190.113 start ip range 81.85.190.115 end ip range 81.85.190.200
3- Server with static ip 81.85.190.120 gateway 81.85.190.113 with wireshark installed

scenario:

Router connects Aerohive AP and Server

Wireshark side:

Host:81.85.190.116
Port:5554
username:admin
password:pass

after the above, an error message mentioned above resulted. Please help.
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
Abby's Blog has some screen shots

http://blogs.aerohive.com/blog/the-wireless-lan-architecture-blog-2/innovative-wi-fi-how-to-do-packe...

from Aerohive side you have to put the capture machine[wireshark] IP

if you [capture machine] are behind a firewall using nat, your capture machine will need a static nat entry as opposed to pat.

Cheers
(Edited)
Photo of ahmed

ahmed

  • 10 Posts
  • 0 Reply Likes
I have turned off firewall on win8, but still the same error appears. Can i check using CLI that connection is available? how can i debug, log or trace this problem please help.
Photo of ahmed

ahmed

  • 10 Posts
  • 0 Reply Likes
Answering your questions:
wireshark version: 1.10.6
ap121: HiveOS 6.1r1
Can ssh to AP: Yes
The current situation:
I can ping from AP using CLI command to my server successfully and vice versa.
My question:
What is the correct setup to AP and my server so both are connected locally and installed wireshark can sniff from AP?
Photo of ahmed

ahmed

  • 10 Posts
  • 0 Reply Likes
Dears,

I made screenshot from CLI with "show interface" command. Does radio interfaces list have any problems prevent capturing with wireshark?
(Edited)
Photo of ahmed

ahmed

  • 10 Posts
  • 0 Reply Likes
Please i am waiting.
Photo of Gary Smith

Gary Smith, Official Rep

  • 299 Posts
  • 61 Reply Likes
Ahmed,

I just repeated my test. My setup is;

Wireshark - Version 1.6.3
PC - 10.128.4.56
AP - 10.128.0.51

AP CLI - exec capture remote-sniffer host-allowed 10.128.4.56 local-port 5554 promiscuous





If you have any issues with this setup I would try to use the same Wireshark version as what I have used in my test.

Kind Regards,
Gary Smith
Photo of ahmed

ahmed

  • 10 Posts
  • 0 Reply Likes
Thanks Gary very much. Finally my problem solved and the problem was regarding the authentication (user name & password). I think Putty sends invalid password. and after writing command without user name & password, successfully i can capture packets.

Again, special thanks for you "Gary" for your fast and effective response.