Packet captures on an HPE Aruba Networking Mobility Controller (MC) are a powerful troubleshooting and analysis tool, allowing administrators to capture and analyze network traffic at various levels (e.g., control plane or data plane). The MC supports packet captures for both wired and wireless traffic, which can be filtered based on criteria such as IP address, MAC address, or port.
Option A, "The security team believes that a wireless endpoint connected to the MC is launching an attack and wants to examine the traffic more closely," is correct. Packet captures are commonly used in security investigations to analyze the traffic of a specific endpoint suspected of malicious activity. For example, if a wireless client is suspected of launching an attack (e.g., a DoS attack or data exfiltration), a packet capture on the MC can capture the client’s traffic (filtered by MAC or IP address) for detailed analysis, helping the security team identify the nature of the attack.
Option B, "The company wants to use HPE Aruba Networking ClearPass Policy Manager (CPPM) to profile devices and needs to receive HTTP User-Agent strings from the MC," is incorrect. While CPPM can use HTTP User-Agent strings for device profiling, this is typically achieved by mirroring HTTP traffic to CPPM (e.g., using a datapath mirror on the MC), not by setting up a packet capture. Packet captures are for manual analysis, not for feeding data to CPPM.
Option C, "You want the MC to analyze wireless clients' traffic at a lower level, so that the AOS firewall can control Web traffic based on the destination URL," is incorrect. The AOS firewall on the MC can control traffic based on applications or services (e.g., using deep packet inspection, DPI), but it does not support URL-based filtering directly. URL filtering typically requires an external solution (e.g., a web proxy or firewall). Packet captures are not used to enable URL-based control by the firewall.
Option D, "You want the MC to analyze wireless clients' traffic at a lower level, so that the AOS firewall can control the traffic based on application," is incorrect. The AOS firewall can already perform application-based control using DPI (if enabled), without requiring a packet capture. Packet captures are for manual analysis, not for enabling firewall functionality.
The HPE Aruba Networking AOS-8 8.11 User Guide states:
"Packet captures on the Mobility Controller are useful for troubleshooting and security investigations. For example, if the security team suspects that a wireless endpoint is launching an attack, you can set up a packet capture on the MC’s data plane to capture the endpoint’s traffic. Use the command packet-capture datapath (e.g., filter by the client’s MAC address) to capture the traffic, which can then be analyzed to identify malicious activity." (Page 515, Packet Capture Section)
Additionally, the HPE Aruba Networking Security Guide notes:
"Packet captures are a critical tool for security teams to investigate potential attacks. By capturing traffic from a specific wireless client suspected of malicious behavior, administrators can analyze the packets to determine the nature of the attack, such as a DoS attack or unauthorized data exfiltration." (Page 65, Security Troubleshooting Section)
[References:, HPE Aruba Networking AOS-8 8.11 User Guide, Packet Capture Section, Page 515., HPE Aruba Networking Security Guide, Security Troubleshooting Section, Page 65.===========]
