Wireshark-users: [Wireshark-users] Remote Capture From A Cisco WAP371 - Packet Loss?

Date: Sun, 03 May 2015 13:18:58 +0100
Hi Wiresharkers,

I have a Cisco SmallBusiness WAP371 which supports Remote Packet Captures. I have observed that every time I perform a Remote Packet Capture in Wireshark 1.12.4 (x64) via this functionality there is packet loss.

However capturing from the same machine with a port mirror shows there to be no packet loss (see attached screen-shot).

The traffic will not exceed 40Mbps which should be fine for a 1Gbps network.

I've posted on the Cisco Support Forums (https://supportforums.cisco.com/discussion/12490711/wap371-firmware-v1123-packet-capture-missing-packets-and-2-other-bugs) but not received much yet, I will log a call with Cisco but I just wanted to check this wasn't something quirky in how Wireshark does Remote Captures (like a limitation in packet re-ordering etc) and/or ready in case they come back with "this is an application problem"?

I have additionally noticed a few quirks in the Remote Capture functionality within Wireshark:

1. When the WAP371 is *not* set to packet capture (i.e. "Stop Capture" is pressed in the web interface) and a user selects in Wireshark to capture on that interface again, Wireshark reports:
"The capture session could not be initiated on interface 'rpcap://[192.168.0.254]:2002/eth0' (Unknown error (pcap bug; actual error cause not reported))."

2. Every invocation of the remote packet capture causes an ambiguous error:
"Couldn't set the capture buffer size! The capture buffer size of 2 MiB seems to be too high for your machine, the default of 2 MiB will be used. Nonetheless, the capture is started."

3. Clicking "Stop Capture" on the WAP371 during a capture causes an error suggesting I report this to yourselves:
"Can't get packet-drop statistics: send(): An established connection was aborted by the software in your host machine. (code 10053). Please report this to the Wireshark developers. http://bugs.wireshark.org/ (This is not a crash; please do not report it as such.)"

4. The capture filters are completely ignored.. is that due to Wireshark (i.e. they will never work on remote interfaces) or the Cisco rpcapd implementation?

I presume these are both due to a dodgy implementation of rpcapd on the WAP371, but Wireshark should probably handle this better?

The WAP371 in itself is fantastic (I recommend it!), but the rpcapd implementation seems definitely wonky (it forgets to include radio0 and only shows radio1 out of the big list of remote capture interfaces supported).. and also allows a DoS of the whole device when you capture a wireless interface that you are also wirelessly performing a remote packet capture on. Along with also not supporting any remote capture password authentication when the device has remote capture enabled!

Thank you for your time (and great discussions on this list as always!),
Matthew

Attachment: PacketLoss.png
Description: PNG image