Remote Capture From A Cisco WAP371 - Packet Loss?

[Matthew <matthew1471 () matthew1471 co uk>]

Hi Wiresharkers,

I have a Cisco SmallBusiness WAP371 which supports Remote Packet
Captures. I have observed that every time I perform a Remote Packet
Capture in Wireshark 1.12.4 (x64) via this functionality there is packet
loss.

However capturing from the same machine with a port mirror shows there
to be no packet loss (see attached screen-shot).

The traffic will not exceed 40Mbps which should be fine for a 1Gbps network.

I've posted on the Cisco Support Forums
(https://supportforums.cisco.com/discussion/12490711/wap371-firmware-v1123-packet-capture-missing-packets-and-2-other-bugs)
but not received much yet, I will log a call with Cisco but I just
wanted to check this wasn't something quirky in how Wireshark does
Remote Captures (like a limitation in packet re-ordering etc) and/or
ready in case they come back with "this is an application problem"?

I have additionally noticed a few quirks in the Remote Capture
functionality within Wireshark:

1. When the WAP371 is *not* set to packet capture (i.e. "Stop Capture"
is pressed in the web interface) and a user selects in Wireshark to
capture on that interface again, Wireshark reports:
/"The capture session could not be initiated on interface
'rpcap://[192.168.0.254]:2002/eth0' (Unknown error (pcap bug; actual
error cause not reported))."/

2. Every invocation of the remote packet capture causes an ambiguous error:
/"Couldn't set the capture buffer size! The capture buffer size of 2 MiB
seems to be too high for your machine, the default of 2 MiB will be
used. Nonetheless, the capture is started."/

3. Clicking "Stop Capture" on the WAP371 during a capture causes an
error suggesting I report this to yourselves:
/"Can't get packet-drop statistics: send(): An established connection
was aborted by the software in your host machine. (code 10053). Please
report this to the Wireshark developers. http://bugs.wireshark.org/
(This is not a crash; please do not report it as such.)"/

4. The capture filters are completely ignored.. is that due to Wireshark
(i.e. they will never work on remote interfaces) or the Cisco rpcapd
implementation?

I presume these are both due to a dodgy implementation of rpcapd on the
WAP371, but Wireshark should probably handle this better?

The WAP371 in itself is fantastic (I recommend it!), but the rpcapd
implementation seems definitely wonky (it forgets to include radio0 and
only shows radio1 out of the big list of remote capture interfaces
supported).. and also allows a DoS of the whole device when you capture
a wireless interface that you are also wirelessly performing a remote
packet capture on. Along with also not supporting any remote capture
password authentication when the device has remote capture enabled!

Thank you for your time (and great discussions on this list as always!),
Matthew

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe