Skip to main content

 

Cisco Meraki Documentation

Packet Capture Overview

如欲查看中文版本,请点击 这里

 

The packet capture utility can be used to observe live network traffic passed by Cisco Meraki devices. Since captures provide a live snapshot of traffic on the network, they can be immensely helpful in diagnosing and troubleshooting network issues. This article outlines how to remotely take a packet capture in dashboard.

Meraki support seeks prior written permission from a customer’s organization administrator or network administrator before initiating a packet capture on behalf of a customer.

Once a capture is complete, the data can only be accessed via the output selected. To ensure privacy and security, traditional packet capture data is not stored in the Meraki cloud.

Only Organization-wide and Network-wide administrator accounts with full access can use the packet capture tool. Read-only and monitor-only network administrator accounts are unable to access this tool.

Learn more with this free online training course on the Meraki Learning Hub:

Sign in with your Cisco SSO or create a free account to start training.

Packet Captures

Packet captures allow you to make copies of frames passing through a network device for inspection. This is useful for troubleshooting or forensic analysis. This section covers traditional Meraki packet capture utility, which is currently available for MX and MS product lines under Network-wide > Monitor > Packet Capture. An additional dropdown will be available to select which type of device to perform the capture on, based on what is present in the network. 

Greenshot 2017-07-20 08.59.23.png

Capture Options

The packet capture tool provides users with multiple options when it comes to selecting which packets to capture and on which interface.  You can also select how to view the capture to review the data.

When performing a packet capture, it is recommended to use the Output > Download .pcap file (for Wireshark) option and open the resulting raw capture in Wireshark. When using this option, the Verbosity option is not available, because all traffic and information is captured.

When the Output > Download .pcap file (for Wireshark) option is selected, the capture will stop after 60 seconds if there is no traffic captured, regardless of the duration set.

View Output in a Web Browser

If you select View output below from the Output dropdown, it will display basic data about the ingress/egress packets on the selected interface. If more detail is needed, another Output option should be selected.Screen Shot 2015-08-20 at 1.44.31 PM.png

When the Output > View output below option is selected, the capture will stop after 20 seconds if there is no traffic is captured, regardless of the duration set.

Verbosity Level Descriptions

When the Output > View output below option is chosen, the Verbosity option is used to determine how much detail should be output in the view below. These options correspond to the following flags in tcpdump.

Low -> (No flag)

Provides basic information about the packet's source, destination, and type.

Medium -> -v

When parsing and printing, produce (slightly more) verbose output. For example, the time to live, identification, total length and options in an IP packet are printed. Also enables additional packet integrity checks such as verifying the IP and ICMP header checksum.

High -> -vv

Even more verbose output. For example, additional fields are printed from NFS reply packets, and SMB packets are fully decoded.

Extra high -> -vvv

Even more verbose output. For example, telnet SB ... SE options are printed in full.

The whole ball of wax -> -X

When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and ASCII. Note that use of this flag generates a great deal of output, and should only be used if needed.

Download .pcap

You can download a packet capture file to your local computer by selecting Download .pcap file (for Wireshark). This file can then be opened with a program such as Wireshark seconds that can be specified for the capture length. With MR products, the maximum amount of packets captured is 100,000.

Additional information on how to filter and utilize the .pcap file can be found on the Wireshark Wiki.

WAN Appliances and Teleworker Gateways

The following options are available for packet captures on WAN appliances or Teleworker gateways:

  • Security appliances: The WAN appliance or Teleworker gateway the capture will run on.
  • Interface: Select the interface to run the capture on; the interface names will vary depending on the WAN appliance configuration. A few examples of interfaces you may see are:
    • Internet 1 or Internet 2 - Capture traffic on one active WAN uplink. Internet 2 will only appear if there is a second WAN link.
    • LAN - Captures traffic from all LAN ports
    • Cellular - Captures cellular traffic from the integrated cellular interface. This does not apply to USB modems.
    • Site-to-Site VPN - Captures AutoVPN traffic (WAN appliance/Teleworker gateway to WAN appliance/Teleworker gateway only). 
    • IPsec VPN - Captures from all Non-Meraki VPN traffic. 
  • Output: Select how the capture should be displayed; view output below or download .pcap.
  • Verbosity: Select the level of the packet capture (only available when view output below is selected as the Output option).
  • Ignore: Optionally ignore capturing broadcast/multicast traffic (only available when view output below is selected as the Output option).
  • Filter expressions: Apply a capture filter.

The WAN appliance/Teleworker gateway allows users to capture on multiple different interfaces.  A capture on the site-to-site VPN interface will contain all Meraki site-to-site VPN traffic (it will not contain 3rd party VPN traffic).

Similar to other products, a single packet capture is limited to 100,000 packets.

WAN Appliances and Teleworker Gateways cannot capture traffic that they switch between LAN clients; only routed traffic, or broadcast and multicast traffic that is flooded on the LAN will be visible.

Switches

This section covers traditional packet captures for switches. Intelligent capture for switches is available for devices running MS 17.1 or above and after enabling the Intelligent Capture feature from the Organization > Configure > Early Access page. Information about Intelligent Capture can be found in the Intelligent Capture section below.

The following options are available for packet captures on switches:

  • Switch: Select the switch to run the capture on.

  • Switch ports: Select the switch port(s) to run the capture on.

  • Output: Select how the capture should be displayed; view output below or download .pcap.

  • Verbosity: Select the level of the packet capture (only available when view output below is selected as the Output option).

  • Ignore: Optionally ignore capturing broadcast/multicast traffic (only available when view output below is selected as the Output option).

  • Filter expressions: Apply a capture filter.

A switch has the ability to run a packet capture on one or more switch ports at a time. Switch port mirroring can also be used for a longer duration capture. Packet Captures and Port Mirroring on the MS Switch contains more information about switch port mirroring configuration.

Without the 'Intelligent Capture' feature, a single packet capture is currently limited to 100,000 packets. Data is streamed live directly from the switch source interface(s) to the user's browser session (over HTTPS, 443). If there is more traffic being captured than the internet connection allows, the capture may be incomplete. In this case, a switch port mirror (span) is recommended.

Packet captures on access switch ports may show an 802.1q VLAN tag on ingress and egress traffic. This is a consequence of how packet captures are performed on Meraki MS switches.

The Meraki MS120 and MS125 series switches do not support dashboard based packet captures on network switch ports connected to other MS switches within the same dashboard network.

Intelligent captures

Similarly to traditional packet captures, intelligent captures allow you to make copies of frames passing through a network device for inspection, which is useful for troubleshooting or forensic analysis. This section covers enhancements to previous versions of the Meraki packet capture utility provided by cloud-based packet capture (Intelligent capture).

Requirements and Limitations

Intelligent captures are currently supported for Meraki Switches and Access Points. Since the feature is currently in deployment, details are subject to change.

Requirements for Access Points:

  • Intelligent capture: MR 30 or above
  • Proactive PCAP: MR 31.1.3 or above using Wi-Fi 6/6e or newer access point models*
  • Manual packet capture for MR: MR 27 or above supporting Wi-Fi 5/6/6e or newer access point models*

*excluding Meraki MR45/55 model

Intelligent Captures are enabled by default for networks that are matching the requirements.

By default, Tx Packet capture is activated for all Intelligent Capture actions.  if network includes MR 29.x or lower version of firmware AP,  Tx packet capture will be disabled.

 

Requirements for Switches:

  • Firmware version: MS 17.1 or above
  • Early Access: Organization > Configure > Early Access > Intelligent Capture feature must be enabled

 

The current limits of the 'Intelligent Capture' feature, such as duration, file size, and packet count, vary depending on the device and the selected output. These limits can be viewed by hovering over the '(i)' icon next to the 'Duration (secs)' field:

Limits of the intelligent packet capture

Capture Options

In addition to already known View output below and Download options, which works the same way as in traditional packet captures, intelligent captures offer several new capture options:

Save to Cloud

This option saves packet captures to Meraki dashboard for storage and later reference. You can find saved captures in Stored Captures tab.

Quick View

This option allows you to review the capture details in your browser once the capture has completed. As in the other option, capture will be saved to the cloud and will be available in Stored Captures tab.

Managing Stored Captures

The Stored captures tab allows you to view, download, or delete previously stored captures. The table lists various details about the capture, including: 

  • Time of capture
  • File name
  • Device (and port for switches) the capture was performed on
  • The user that created the capture
  • Capture Status
  • Source
  • File size
  • Notes

There are a number of options to manage each capture:

  • Click on the file name of the capture to open the embedded viewer.
  • Click the capture options button at the far right of the capture entry to view, download a copy, or delete the capture.

stored_captures.png

This section also stores Proactive PCAPs for access points. The list shows the timestamp of the packet capture, the client that failed, and failure reason that triggered a Proactive PCAP on an access point. Users can also view and download any packet capture file by clicking the … option under the Action column and selecting View or Download. Clicking on the packet capture name will take you to the embedded viewer, as shown in the next section. 

Viewing Captures

Click on the file name under the Stored Captures tab to open the embedded viewer to view a capture. This viewer allows you to apply filters to quickly identify interesting frames, as well as select individual frames for detailed inspection.

Enter filter expressions into the filter field and the filter field background will turn light green for a valid expression, or light red when an invalid expression is entered. Once a valid filter expression is entered, click Apply to display in the frame list only the frames that match the filter. Click Clear to remove the filter and display all of the frames from the capture.

Wireshark's Display Filter webpage can be used to find filters to apply to packet captures. 

802.11 frames : A starter guide to learn wireless sniffer traces contains more information about what can be found in 802.11 captures, which can be useful when analyzing wireless packet captures. 

Expand or collapse the decoded frame info in the bottom left hand pane. Selecting a particular decoded field highlights the corresponding frame bytes in the bottom right hand pane. Click Ok to dismiss the viewer window.

embedded_viewer.png

 

Access Points

Intelligent capture for access points introduces a way to automate the packet capture process. Intelligent capture allows network engineers to initiate and retrieve packet captures on demand remotely. Intelligent capture enabled and replaced legacy Packet Capture. Customer can find it from Network-wide >  Monitor Intelligent Capture (replaces Packet Capture):

Screenshot 2024-11-19 at 21.18.33.png

The sections below covers licensing requirements, manual captures and proactive PCAP features.

Licensing Requirements

MR Enterprise (ENT) license allows storage of up to 10 capture files in the cloud. Each file can be up to up to 100 000 packet count. When the limit is reached and a new capture is taken, the older capture will be automatically deleted to ensure sufficient space. 

 

MR Advanced (MR-ADV) license is required to use the Proactive PCAP feature and to extend storage space in the cloud for manual captures to 4 GB. This license unlocks many advanced features, which includes automatically capturing network packets based on predefined triggers or conditions. This capability is crucial for proactive network monitoring and troubleshooting, allowing network administrators to preemptively address issues before they escalate into significant problems. See the MR License Guide for more details

Creating a Capture

The Intelligent Capture page operates the similar way as familiar,  traditional Packet Capture page for access points. Intelligent capture has been not only refreshed with new visuals and options, but most importantly, it adds the ability to save packet capture files to the cloud. The packet capture file stored in the cloud is available to see, analyze and download for 90 days with no additional cost to the user.  Tx Packet capture function on legacy Packet Capture feature is now enabled by default. 

A manual packet capture on a Meraki access point can collect up to 100,000 packets.

Stop capture button was added for the manual packet capture process in addition to the other new enhancements to the page. This allows for greater control and flexibility by allowing packet captures to be stopped at any time. As a result, capture duration can be more precisely managed and the process can be promptly ended as needed.

Proactive PCAP Enablement

MR Advanced license is required to use the Proactive PCAP feature. See Licensing Requirements for more information.

Navigate to the Proactive PCAP Enablement tab and select Enable the auto capture for some devices. You can choose to enable this feature on a per access point basis, by tag, or for all devices, as shown below:

This feature automatically generates packet captures in the event of either a client connection failure or a roaming issue. Users can access Proactive PCAP files whenever and wherever they are needed. Automated packet captures are limited to client association/authentication failures.

Retention Time for Proactive PCAP

Packet captures are retained for 7 days. During this period, network administrators can access, analyze, and download the captured packet data to gain insights into network performance and diagnose issues. After the 7-day retention period, the captured data is automatically purged to make room for new captures, ensuring efficient use of storage resources. Packet captures can be accessed from the Stored captures tab as explained in the section below.

Viewing Proactive PCAP

Automatic packet captures taken using the Proactive PCAP feature can be accessed from the Stored Capture tab on the Clients page, as shown below. To access this tab, go to the Network-wide > Monitor Clients page and select the client you are troubleshooting from the list.

The file name for a Proactive PCAP is generated using the following components:

  • Client MAC Address: Identifies the client device.
  • Hash Value: Ensures uniqueness.
  • Failure Step: Indicates the process step where the failure occurred.
  • Failure Reason: Provides a brief description of the failure.

This systematic approach to file naming enhances the manageability and usability of captured packet data, allowing network administrators to efficiently diagnose and resolve network issues.

For example, imagine a Proactive PCAP is initiated because of an authentication timeout for a client device with the MAC address 00:1A:2B:3C:4D:5E. The hash value generated is "X1Y2Z3", the failure step is "Auth", and the failure reason is "Timeout". The resulting file name may look similar to this: 

00:1A:2B:3C:4D:5E_X1Y2Z3_Auth_Timeout

 

Use Assurance to view Proactive PCAP Taken for Clients

Navigate to Assurance > Analytics > Overview and in the clients section select Wireless. You will see a list of wireless client issues. Select a type of issue and you will see a list of clients affected by this failure type.

Select the client hyperlink under the Name column and it will take you to the client details page. This page will have Timeline and Stored Captures tabs. Select the Timeline tab.

The Timeline tab will display a comprehensive list of all events that have occurred for the selected client. The Timeline tab provides a detailed chronological record of the selected client's connectivity history, including any issues or anomalies that have been detected.

Packet Capture filter option is available on this page. This filter allows you to refine the displayed events to only include those that have associated packet capture files gathered by Proactive PCAP.

Switches

Intelligent capture allows you to capture, store, view, and download captures directly in the Meraki dashboard. Start by navigating to the Network-wide > Monitor > Packet Capture page:

packet_capture.png

The sections below cover manual captures and scheduled captures features.

Creating a Capture

From the New capture tab, set the following parameters to take a packet capture:

  1. Choose the device you want to perform the capture and enter the port numbers where you want to perform the capture. You may specify ports as a comma separated list of ports or port ranges, for example: 1, 4, 5-30.

  2. Choose the output for the saved capture. Regardless of which option is selected, the capture will also be saved to cloud for later reference. For more information see the intelligent captures options section

  3. Enter the duration to capture traffic in seconds, up to 300 (5 minutes).

  4. Enter filter expressions, if desired, to reduce the types of traffic that are captured.

    1. You can review examples of filter expressions by clicking on the View example filters link.

      1. Use the Copy link to optionally copy any of the sample expressions and paste into the capture filters field.

  5. Optionally override the automatically generated file name.

  6. Optionally add descriptive notes to attach to the capture.

  7. Once these options are configured as required, click the Start Capture button to begin the capture.

packet_capture_with_steps.png

sample_filter_expressions.png

Click the Start capture button to begin the capture. A progress bar will appear while traffic is being captured, and you can click Cancel capture to stop the capture early. Captures that are canceled early are still saved to cloud.

capturing_in_progress.png

capturing_done.png

Once the capture is finished, choose View capture or Download capture, create a new capture, or click See all captures to navigate to the Stored captures tab.

To protect critical network services when a switch is under heavy load some frames may not be captured.

Capturing on Multiple Interfaces

When troubleshooting problems on the network, it is important to try and isolate any hardware that is not handling traffic appropriately. Simultaneous packet captures on multiple ports are useful because they allow the user to see a more complete picture of how traffic is flowing.

Capturing Traffic on Multiple Interfaces explains how to capture traffic simultaneously on multiple interfaces of a Meraki device and how to analyze that traffic to detect potential issues.

Rolling Captures

A "Rolling Capture" is a capture which automatically saves the output to files at set intervals and can break up a large capture into multiple smaller files. This can be extremely useful when trying to run a long-term capture for troubleshooting intermittent troubles, such as choppy audio on VOIP.

Using Wireshark for Packet Captures explains how to collect rolling captures with Wireshark. 

 

  • Was this article helpful?