Connecting the world…


AOS – WireShark: remote capture

AOS switches have the option to monitor / copy traffic from port A to port B. You also have the option to send the monitor traffic to a remote switch or even to a remote host. When the remote host is running WireShark, the monitored traffic can be analysed on the remote host.

First you need to configure the switch to send a copy of the traffic to a remote host. Use the following commands to create a monitor session to a remote host. In this case the switch is using IP adres with source port UDP/10999 and the remote host has IP adres

ASW-C01# conf t
ASW-C01(config)# monitor 
 mac                   MAC address.
ASW-C01(config)# mirror 
 endpoint              Remote mirroring destination configuration.
 <1-4>                 Mirror destination number.
ASW-C01(config)# mirror 1 
 name                  Mirroring destination name string.
 port                  Mirroring destination monitoring port.
 remote                Remote mirroring destination configuration.
ASW-C01(config)# mirror 1 remote 
 ip                    Remote mirroring destination configuration.
ASW-C01(config)# mirror 1 remote ip 
 IP-ADDR               Enter an IP address.
ASW-C01(config)# mirror 1 remote ip 
 <1-65535>             Remote mirroring UDP encapsulation port.
ASW-C01(config)# mirror 1 remote ip 10999 
 IP-ADDR               Remote mirroring UDP encapsulation destination ip addr.
ASW-C01(config)# mirror 1 remote ip 10999 
 truncation            Enable truncation for Remote mirroring.
ASW-C01(config)# mirror 1 remote ip 10999 
The destination switch must be configured before proceeding.

Has the remote switch been configured (y/n)? y

Next you need to configure the interface for which you would like to analyse the traffic.

ASW-C01(config)# int 4/3
ASW-C01(eth-4/3)# monitor 
 all                   Monitor all traffic.
ASW-C01(eth-4/3)# monitor all both 
 mirror                Mirror destination.
ASW-C01(eth-4/3)# monitor all both mirror 1 
 no-tag-added          Don’t add VLAN tag for this untagged-port
 <1-4>                 Mirror destination number.
ASW-C01(eth-4/3)# monitor all both mirror 1 

Traffic from port 4/3 is now send to the remote host. Now start WireShark on the remote host and create a capture filter to capture only packets for port UDP/10999.

WireShark displays packets like below, which are useless to analyse traffic. The packets are encoded as HP ERM packets.

So the final step is to decode the traffic. Just right click on a packet and choose the option “Decode As…”. You could also choose from the menu Analyze >> Decode As…

Change the column Current from (none) to HP_ERM from the drop down list and choose OK.

HP ERM, Hewlett-Packard Encapsulated Remote Mirror protocol is used by the HPE (Hewlett-Packard Enterprise) switches based on ProVision ASICs formerly of the ProCurve family, now branded under Aruba Networks, a Hewlett Packard Enterprise company. Unlike Cisco RSPAN, HP ERM encapsulates the frames to be mirrored inside UDP datagrams with a proprietary header, allowing it to be transported over any IP network (like Cisco ERSPAN)

Now the packets should be “readable” for traffic analysis.


The Early Deployment release software from ArubaOS has been released. I looked into the release notes and found some interesting new features.

  • Cellular Handoff Assist is Configurable Per Virtual AP: The cellular handoff assist feature can help a dual-mode, 3G/4G-capable Wi-Fi device such as an iPhone, iPad, or Android client at the edge of Wi-Fi network coverage switch from Wi-Fi to an alternate 3G/4G radio that provides better network access. This setting can now be applied to individual virtual APs via the WLAN virtual-ap profile.
  • Plug and Play 4G USB Modem: ArubaOS supports the USB modem Plug and Play. The controller auto-configures the 4G USB modem as soon as the user plugs in the modem into an AP or a RAP.
  • Support for Secondary AP Master: Starting from ArubaOS, seamless connectivity is provided even when the master controller fails, by allowing an access point to terminate on a secondary master controller.
  • Customizing Authentication Reply-Message to Captive Portal Users: ArubaOS introduces the support for customizing authentication Reply-Message to captive portal users in the log-in page for better user experience. The purpose behind the Reply-Message is to return appropriate information to the captive portal system.
  • Multi-Version Licensing: ArubaOS supports multi-version licensing, which allows centralized licensing clients to run a different version of the license than that of the primary and backup licensing servers. If a license is introduced in a newer version of ArubaOS, the primary and backup licensing servers set can still distribute licenses to licensing clients running an older version of ArubaOS, even if the licensing client does not recognize the newer license type.
  • Subscription-Based Web Content Classification License: ArubaOS introduces support for the Web Content Classification (WebCC) license; a subscription-based, per-AP license that supports web content classification features on an AP for the duration of the subscription period (up to 10 years per license).
  • NTP Standalone: NTP standalone feature enables an Aruba controller to act as an NTP server so that the devices that do not have access to Internet can synchronize their clocks. Enabling this feature eliminates the need to provision and maintain another virtual machine on the network.
  • Geo-Location Filtering: Starting from ArubaOS, to support IP-classification-based firewall, an IP reputation database containing a list of IP addresses with malicious activities is introduced. This helps in rejecting the traffic sent to or received from those IP addresses classified as malicious based on the policy configured. Using the geolocation IP database, the geographical location of the malicious IP address is also determined, and traffic is permitted or denied after scanning the geography-based rules configured by the administrator.
  • Wi-Fi Calling: ArubaOS supports Wi-Fi Calling in the controller. Wi-Fi calling service allows cellular users to make or receive calls using a Wi-Fi network instead of using the carrier’s cellular network.
  • Blocked Session: Starting from ArubaOS, a new tab called Blocked Sessions is added in the Traffic Analysis page. The Blocked Sessions tab displays WebCC and AppRF sessions which are blocked by access control list (ACL) through system logging or that blocked on the WebUI interface.

The release notes can be downloaded here.