Is there a way to use Wireshark and monitor a client from my admin PC?

  • 1
  • Question
  • Updated 3 years ago
All year long I've had Lenovo clients constantly losing 100% connectivity while still indicating they're on the wireless. Recently I've had MAC users as well with the same exact problem and while "client tool" monitor does give me a lot of information, it does not indicate the client might have de-authenticated or roamed away. Also, granted that when I first got into this I had extremely high RF issues but with a lot of troubleshooting I've minimized it significantly to where I don't get calls anymore. My only problem is with these Lenovo, and now MAC books, are having these strang issues and my other laptops and chromebook work flawlessly. In addition, please note that all our clients have the latest firmware for their wireless cards etc. 

But back to main topic, has anyone successfully packet capture a client with wireless shark on a different device? Because I only know how to monitor on Wireshark if its locally installed on their device.
Photo of Arison Mercado

Arison Mercado

  • 113 Posts
  • 8 Reply Likes

Posted 3 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Photo of Joel Brooks

Joel Brooks

  • 20 Posts
  • 4 Reply Likes
The remote capture functionality is built into wireshark. https://www.wireshark.org/docs/wsug_h...
Photo of Arison Mercado

Arison Mercado

  • 113 Posts
  • 8 Reply Likes
Joel, thank you but is there way I can just monitor the user instead of the AP and its interfaces?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Use filters within Wireshark to drill down as you need to.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Further thoughts...

The issue with the Macs is almost certainly due to issues in OS X Yosemite that are sorted in the upcoming 10.10.4 release where DNS resolution fails catastrophically due to bugs in the resolver:

http://www.macrumors.com/2015/05/26/apple-discoveryd-replaced-with-mdnsresponder/

That has nothing directly to do with the wireless and a packet capture won't help with that.

The Lenovo issues are almost certainly due to bugs in the driver that is being used.

Think it's important not to link what are very likely to be fundamentally different issues.
(Edited)
Photo of Arison Mercado

Arison Mercado

  • 113 Posts
  • 8 Reply Likes
Nick,

I actually have my very own AP230 at home and I encounter the same issues with my MAC and I do not have Yosemite installed onto it, so we can eliminate and RF issues as the problem. As for these Lenovo's they've actually worked in our older AP's just fine but not so well with the Aerohive. That is why I'm looking to get more in-depth on why are these devices encountering these issues.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I strongly agree that a root cause analysis is the important thing to do where there is a problem. I just think you will find that the causes will be multifaceted, with different, independent issues resulting in similar symptoms. (That's why I said that I think that it's important not to link/conflate what are likely to be fundamentally different issues.)

I have seen the same symptoms with Macs. In those cases it turned out to be certificate validation issues with 802.1X and revocation, the DNS resolver issue in Yosemite or driver bugs in the older OS X releases with certain chipsets in their laptops.

There have also been issues in certain HiveOS releases but, usually, it turns out to be the client.
(Edited)
Photo of Matt Kopp

Matt Kopp

  • 47 Posts
  • 12 Reply Likes
Arison, out of curiosity, which Lenovo clients; specifically, are they using the Intel 7260-AC cards?  If so, it's likely a client issue which is solved by the driver update to 17.15.  Intel refused to acknowledge the issue, but it's a common issue.
(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
The latest version does seem to resolve the worst of it with the 7260:

https://community.aerohive.com/aerohive/topics/intel_7260_ac_not_connecting?topic-reply-list%5Bsetti...
(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
(Edited)
Photo of Eric

Eric

  • 15 Posts
  • 1 Reply Like
Back on the wireshark questions. Try going to http://www.wiresharktraining.com/, I went to one of their training and bought one of the books. Also you can ask wireshark question to their experts at https://ask.wireshark.org/