Remote Wireless LAN Packet Captures in Extreme Cloud IQ with CloudShark
This blog will cover how we can run a remote packet captures for WLAN through the cloud management platform of Extreme Cloud IQ and Cloudshark.
Extreme Cloud IQ support native packet capture and it has integrated with CloudShark. With that, we can initiate a packet capture for the WLAN connectivity and direct the resulting capture to our CloudShark account. All of these can be done through a web interface which makes the packet analysis and troubleshooting much easier than before.
In this testing, I have setup an AP managed by the Cloud IQ Platform. For the CloudShark part, I have already registered a CS Personal SaaS account:
After login to the CloudShark account, the first step is to go Preference> API Tokens:
This should bring up a small window and we can copy the API Token. This token will later be entered in my Cloud IQ Platform:
Now we switch back to our Cloud IQ platform, go to Tools> Packet Capture. Here we enter the API token in the CloudShark API Token field:
From the access point list, we can select based on the location and the specific access points we would like to do the packet capture. For the interface, we can also choose which interface we want to run the capture. Could be WiFi0, WiFi1 or Both. Generally, the radios in an Extreme Cloud AP operate concurrently in two frequency bands: radio 1 (WiFi0) generally operates at 2.4GHz and radio 1 (WiFi1) generally operates at 5GHz. Unless the access point model you choose is Tri-band AP or that support software configurable radio.
In this example, we choose to capture both interface and click Start.
Click the CloudShark URL and it will take you to the CloudShark page that you can found your packet capture result.
CloudShark’s display filters are 100% compatible with the Wireshark filters used in packet analysis. So we do not need to learn the new set of filters.
During my packet capture, I had my client device authenticated and associated to my testing access point. I would like to understand from the packet whether the 4-way handshake has occurred. For securing the wireless transmissions between the client and the AP, the 4-Way handshake is the process of exchanging 4 messages between an access point (authenticator) and the client device (supplicant) to generate some encryption keys which can be used to encrypt actual data sent over Wireless medium.
In the Cloudshark packet capture, I can apply the filter “eapol” to sort out the EAPOL frame where the four messages are exchanged during the 4-Way handshake.
For each of the packet captures, we can also view the file info, tag it or sharing the public URL with others. The public files are viewable by anyone who knows the URL for the file and does not require them to have an account and log-in.
