I'm trying to configure Wireshark to capture bi-directional client traffic of a single wireless client only. The IP address is 10.10.10.14 on VLAN 1. Since I can't apply filters to the CAPWAP interface, I chose VLAN 1, with the following base commands.
- monitor capture MCAP interface VLAN1 both
- monitor capture MCAP file location usbflash:mcap.pcap buffer-size 1
- monitor capture MCAP limit duration 120
If I configure "monitor capture MCAP match ipv4 any any" I get too much information. If I use "monitor capture MCAP match ipv4 host 10.10.10.14 any" I get packets transmitted by 10.10.10.14, but not the responses.
Is there a way to accomplish this, or do I need to use Wireshark to filter unwanted packets? If this were a busy AP, this could result in a very large capture file. Thanks for the help.