Skip to main content

 

Cisco Meraki Documentation

Packet Capture Overview

如欲查看中文版本,请点击 这里

 

The packet capture utility can be used to observe live network traffic passed by Cisco Meraki devices. Since captures provide a live snapshot of traffic on the network, they can be immensely helpful in diagnosing and troubleshooting network issues. This article outlines how to remotely take a packet capture in dashboard.

Meraki support seeks prior written permission from a customer’s organization administrator or network administrator before initiating a packet capture on behalf of a customer.

Once a capture is complete, the data can only be accessed via the output selected. To ensure privacy and security, traditional packet capture data is not stored in the Meraki cloud.

Only Organization-wide and Network-wide administrator accounts with full access can use the packet capture tool. Read-only and monitor-only network administrator accounts are unable to access this tool.

Learn more with this free online training course on the Meraki Learning Hub:

Sign in with your Cisco SSO or create a free account to start training.

Capturing on Each Product

The packet capture tool is available under Network-wide > Monitor > Packet Capture. An additional dropdown will be available to select which type of device to perform the capture on, based on what is present in the network.

Greenshot 2017-07-20 08.59.23.png

The following sections outline specific capture options for each product's capture utility.

Access Points

Intelligent Capture - MR

Feature in development - details are subject to change

Traditional packet capture methods typically involve extensive manual intervention by network engineering teams. Sessions will often be on-site and take significant time to capture relevant network traffic. The effectiveness of manual captures in isolating and identifying evidence of network anomalies is relatively expensive, especially when considering time and resource investment needed.

Intelligent capture for access points introduces a way to automate the packet capture process. Intelligent capture allows network engineers to initiate and retrieve packet captures on demand remotely. There are three main use cases for Intelligent capture for access points: manual captures, Proactive PCAP, and viewing stored captures.

Minimum Requirements to Enable Intelligent Capture - MR

  • Intelligent capture - MR: MR 30 or above
  • Proactive PCAP: MR 31 or above using Wi-Fi 6/6e or newer access point models*
  • Manual packet capture for MR: MR 27 or above supporting Wi-Fi 5/6/6e or newer access point models*

*excluding Meraki MR45/55 model

Enable Intelligent Capture - MR

Intelligent capture can be enabled from the Organization > Configure > Early Access page, then selecting to opt-in to the Intelligent Capture - MR feature.

After the feature is enabled, navigate to Network-wide >  Monitor > Intelligent Capture (replaces Packet Capture):

Screenshot 2024-11-19 at 21.18.33.png

Manual Capture

The Intelligent Capture page operates the same way as the traditional Packet Capture page for access points. Intelligent capture has been refreshed with new visuals and options, which includes the ability to save packet capture files to the cloud. The packet capture file stored in the cloud is available to download for 90 days with no additional cost to the user. 

A manual packet capture on a Meraki access point can collect up to 100,000 packets.

 

Stop capture button was added for the manual packet capture process in addition to the other new enhancements to the page. This allows for greater control and flexibility by allowing packet captures to be stopped at any time. As a result, capture duration can be more precisely managed and the process can be promptly ended as needed.

Proactive PCAP Enablement

Navigate to the Proactive PCAP Enablement tab and select Enable the auto capture for some devices. You can choose to enable this feature on a per access point basis, by tag, or for all devices, as shown below:

This feature will automatically generate packet captures when any client connection or roaming failure situation occurs. Users can access Proactive PCAP files whenever and wherever they are needed. Automated packet captures are limited to client association/authentication failures.

Proactive PCAP License Requirement

A MR-ADV (Advanced) license is required to use the Proactive PCAP feature. This license unlocks many advanced features, which includes automatically capturing network packets based on predefined triggers or conditions. This capability is crucial for proactive network monitoring and troubleshooting, allowing network administrators to preemptively address issues before they escalate into significant problems.

Retention Time for Proactive PCAP

Packet captures are retained for 7 days. During this period, network administrators can access, analyze, and download the captured packet data to gain insights into network performance and diagnose issues. After the 7-day retention period, the captured data is automatically purged to make room for new captures, ensuring efficient use of storage resources. Packet captures can be accessed from the Stored captures tab as explained in the section below.

Stored Captures

This section stores all packet captures, including both manual captures and Proactive PCAPs. The list shows the timestamp of the packet capture, the client that failed, and failure reason that triggered a Proactive PCAP on an access point. Users can also view and download any packet capture file by clicking the option under the Action column and selecting View or Download. Clicking on the packet capture name will take you to the embedded viewer, as shown in the next section. 

Viewing Captures

Click on the file name under the Stored Captures tab to open the embedded viewer to view a capture. This viewer allows you to apply filters to quickly identify interesting frames, as well as select individual frames for detailed inspection.

Enter filter expressions into the filter field. Once you have entered a valid filter expression, click the Apply button to display frames that match the filter criteria in the frame list. Click the Clear button to remove the filter and display all frames from the capture.

Wireshark's Display Filter webpage can be used to find filters to apply to packet captures. 802.11 frames : A starter guide to learn wireless sniffer traces contains more information about what can be found in 802.11 captures.

You can expand or collapse the decoded frame information in the bottom left-hand pane. Selecting a specific decoded field will highlight the corresponding frame bytes in the bottom right-hand pane.

Automatic packet captures taken using the Proactive PCAP feature can be accessed from the Stored Capture tab on the Clients page, as shown below. To access this tab, go to the Network-wide > Monitor > Clients page and select the client you are troubleshooting from the list.

The file name for a Proactive PCAP is generated using the following components:

  • Client MAC Address: Identifies the client device.
  • Hash Value: Ensures uniqueness.
  • Failure Step: Indicates the process step where the failure occurred.
  • Failure Reason: Provides a brief description of the failure.

This systematic approach to file naming enhances the manageability and usability of captured packet data, allowing network administrators to efficiently diagnose and resolve network issues.

For example, imagine a Proactive PCAP is initiated because of an authentication timeout for a client device with the MAC address 00:1A:2B:3C:4D:5E. The hash value generated is "X1Y2Z3", the failure step is "Auth", and the failure reason is "Timeout". The resulting file name may look similar to this: 

00:1A:2B:3C:4D:5E_X1Y2Z3_Auth_Timeout

Use Assurance to View Proactive PCAP Taken for Clients

Navigate to Assurance > AnalyticsOverview and in the clients section select Wireless. You will see a list of wireless client issues. Select a type of issue and you will see a list of clients affected by this failure type.

Select the client hyperlink under the Name column and it will take you to the client details page. This page will have Timeline and Stored Captures tabs. Select the Timeline tab.

The Timeline tab will display a comprehensive list of all events that have occurred for the selected client. The Timeline tab provides a detailed chronological record of the selected client's connectivity history, including any issues or anomalies that have been detected.

Packet Capture filter option is available on this page. This filter allows you to refine the displayed events to only include those that have associated packet capture files gathered by Proactive PCAP.

Switches

The following options are available for packet captures on switches:

  • Switch: Select the switch to run the capture on.

  • Switch ports: Select the switch port(s) to run the capture on.

  • Output: Select how the capture should be displayed; view output below or download .pcap.

  • Verbosity: Select the level of the packet capture (only available when view output below is selected as the Output option).

  • Ignore: Optionally ignore capturing broadcast/multicast traffic (only available when view output below is selected as the Output option).

  • Filter expressions: Apply a capture filter.

A switch has the ability to run a packet capture on one or more switch ports at a time. Switch port mirroring can also be used for a longer duration capture. Packet Captures and Port Mirroring on the MS Switch contains more information about switch port mirroring configuration.

There is currently no capture size limit, except a maximum capture time of 60 seconds. Data is streamed live directly from the switch source interface(s) to the user's browser session (over HTTPS, 443). If there is more traffic being captured than the internet connection allows, the capture may be incomplete. In this case, a switch port mirror (span) is recommended.

Intelligent capture for switches is available for devices running MS 17.1 or above and after enabling the Intelligent Capture feature from the Organization > Configure > Early Access page. Information about Intelligent capture can be found in the Intelligent Capture section below.

Packet captures on access switch ports may show an 802.1q VLAN tag on ingress and egress traffic. This is a consequence of how packet captures are performed on Meraki MS switches.

The Meraki MS120 and MS125 series switches do not support dashboard based packet captures on network switch ports connected to other MS switches within the same dashboard network.

WAN Appliances and Teleworker Gateways

The following options are available for packet captures on WAN appliances or Teleworker gateways:

  • Security appliances: The WAN appliance or Teleworker gateway the capture will run on.
  • Interface: Select the interface to run the capture on; the interface names will vary depending on the WAN appliance configuration. A few examples of interfaces you may see are:
    • Internet 1 or Internet 2 - Capture traffic on one active WAN uplink. Internet 2 will only appear if there is a second WAN link.
    • LAN - Captures traffic from all LAN ports
    • Cellular - Captures cellular traffic from the integrated cellular interface. This does not apply to USB modems.
    • Site-to-Site VPN - Captures AutoVPN traffic (WAN appliance/Teleworker gateway to WAN appliance/Teleworker gateway only). This does not apply to Non-Meraki VPN peers.
  • Output: Select how the capture should be displayed; view output below or download .pcap.
  • Verbosity: Select the level of the packet capture (only available when view output below is selected as the Output option).
  • Ignore: Optionally ignore capturing broadcast/multicast traffic (only available when view output below is selected as the Output option).
  • Filter expressions: Apply a capture filter.

The WAN appliance/Teleworker gateway allows users to capture on multiple different interfaces.  A capture on the site-to-site VPN interface will contain all Meraki site-to-site VPN traffic (it will not contain 3rd party VPN traffic).

WAN Appliances and Teleworker Gateways cannot capture traffic that they switch between LAN clients; only routed traffic, or broadcast and multicast traffic that is flooded on the LAN will be visible.

Capturing on Multiple Interfaces

When troubleshooting problems on the network, it is important to try and isolate any hardware that is not handling traffic appropriately. Simultaneous packet captures on multiple ports are useful because they allow the user to see a more complete picture of how traffic is flowing.

Capturing Traffic on Multiple Interfaces explains how to capture traffic simultaneously on multiple interfaces of a Meraki device and how to analyze that traffic to detect potential issues.

Intelligent Capture

Feature in development - details are subject to change

Packet captures allow you to make copies of frames passing through a network device for inspection. This is useful for troubleshooting or forensic analysis. This article covers enhancements to previous versions of the Meraki packet capture utility provided by cloud-based packet capture (Intelligent capture)

Intelligent capture allows you to capture, store, view, and download captures directly in the Meraki dashboard. Start by navigating to the Network-wide > Monitor > Packet Capture page:

packet_capture.png

Creating a Capture

From the New capture tab, set the following parameters to take a packet capture:

  1. Choose the device you want to perform the capture and enter the port numbers where you want to perform the capture. You may specify ports as a comma separated list of ports or port ranges, for example: 1, 4, 5-30.

  2. Choose the output for the saved capture. Regardless of which option is selected, the capture will also be saved to cloud for later reference.

    1. Save to cloud: save to Meraki dashboard for storage and later reference.

    2. Download: download the capture to your workstation via your browser once the capture has completed.

    3. Quick View: Review the capture details in your browser once the capture has completed.

  3. Enter the duration to capture traffic in seconds, up to 300 (5 minutes).

  4. Enter filter expressions, if desired, to reduce the types of traffic that are captured.

    1. You can review examples of filter expressions by clicking on the View example filters link.

      1. Use the Copy link to optionally copy any of the sample expressions and paste into the capture filters field.

  5. Optionally override the automatically generated file name.

  6. Optionally add descriptive notes to attach to the capture.

  7. Once these options are configured as required, click the Start Capture button to begin the capture.

packet_capture_with_steps.png

sample_filter_expressions.png

Taking a Capture

Click the Start capture button to begin the capture. A progress bar will appear while traffic is being captured, and you can click Cancel capture to stop the capture early. Captures that are canceled early are still saved to cloud.

capturing_in_progress.png

capturing_done.png
Once the capture is finished, choose View capture or Download capture, create a new capture, or click See all captures to navigate to the Stored captures tab.

To protect critical network services when a switch is under heavy load some frames may not be captured.

Managing Stored Captures

The Stored captures tab allows you to view, download, or delete previously stored captures. The table lists various details about the capture, including: 

  • Time of capture
  • File name
  • Device and port the capture was performed on
  • The user that created the capture
  • Capture Status
  • The output type
  • Source
  • File size
  • Notes

There are a number of options to manage each capture:

  • Click on the file name of the capture to open the embedded viewer.
  • Click the capture options button at the far right of the capture entry to view, download a copy, or delete the capture.

stored_captures.png

Stored captures are retained for 90 days. After 90 days the capture files are automatically removed, while the capture entry remains in the list for historical reference. The View and Download buttons are unavailable for captures that have been removed.

Viewing Captures

Click on the file name of a capture on the Stored captures tab to open the embedded viewer. The viewer allows you to use filters to quickly identify interesting frames and select individual frames to inspect in detail.

Enter filter expressions into the filter field and the filter field background will turn light green for a valid expression, or light red when an invalid expression is entered. When entering protocol names such as ARP, ICMP, or STP, the viewer will search for and display matching protocols; click the displayed protocol name to auto complete the entry. Once a valid filter expression is entered, click Apply to display in the frame list only the frames that match the filter. Click Clear to remove the filter and display all of the frames from the capture.

Expand or collapse the decoded frame info in the bottom left hand pane. Selecting a particular decoded field highlights the corresponding frame bytes in the bottom right hand pane. Click Ok to dismiss the viewer window.

embedded_viewer.png

Capture Options

The dashboard provides users with multiple options when it comes to selecting which packets to capture and on which interface.  You can also select how to view the capture to review the data.

When performing a packet capture, it is recommended to use the Output > Download .pcap file (for Wireshark) option and open the resulting raw capture in Wireshark. When using this option, the Verbosity option is not available, because all traffic and information is captured.

When the Output > Download .pcap file (for Wireshark) option is selected, the capture will stop after 60 seconds if there is no traffic captured, regardless of the duration set.

View Output in a Web Browser

If you select View output below from the Output dropdown, it will display basic data about the ingress/egress packets on the selected interface. If more detail is needed, another Output option should be selected.

Screen Shot 2015-08-20 at 1.44.31 PM.png

When the OutputView output below option is selected, the capture will stop after 20 seconds if there is no traffic is captured, regardless of the duration set.

Verbosity Level Descriptions

When the Output > View output below option is chosen, the Verbosity option is used to determine how much detail should be output in the view below. These options correspond to the following flags in tcpdump.

Low -> (No flag)

Provides basic information about the packet's source, destination, and type.

Medium -> -v

When parsing and printing, produce (slightly more) verbose output. For example, the time to live, identification, total length and options in an IP packet are printed. Also enables additional packet integrity checks such as verifying the IP and ICMP header checksum.

High -> -vv

Even more verbose output. For example, additional fields are printed from NFS reply packets, and SMB packets are fully decoded.

Extra high -> -vvv

Even more verbose output. For example, telnet SB ... SE options are printed in full.

The whole ball of wax -> -X

When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and ASCII. Note that use of this flag generates a great deal of output, and should only be used if needed.

Download .pcap

You can download a packet capture file to your local computer by selecting Download .pcap file (for Wireshark). This file can then be opened with a program such as Wireshark seconds that can be specified for the capture length. With MR products, the maximum amount of packets captured is 100,000.

Additional information on how to filter and utilize the .pcap file can be found on the Wireshark Wiki.

Rolling Captures

A "Rolling Capture" is a capture which automatically saves the output to files at set intervals and can break up a large capture into multiple smaller files. This can be extremely useful when trying to run a long-term capture for troubleshooting intermittent troubles, such as choppy audio on VOIP.

Best Way to Run Rolling Captures

For some issues, it may be necessary to perform port mirrors or span port captures which run for long periods of time until the issue occurs. The goal is to run a capture and once the issue surfaces stop the packet capture. If a packet capture is run for a long duration of time, say 6 hours for example, the .pcap file will be too large for your computer to open.  Captures larger than 100mb become too difficult to open on some computers. To mitigate this trouble, the capture can be set with multiple different options which makes this easier. 

What is the Ring Buffer

Ring Buffers can be set to ensure that you will not fill up all of the disk space on your device. It will start overwriting the oldest file based on how many files you specify. This does not have to be used, but it is useful to ensure you do not fill up your capture device's storage.

Taking a Rolling Capture

  1. Open Wireshark.
  2. Click Capture Options.

1.png

  1. Uncheck Enable promiscuous mode on all interfaces, check the Promiscuous option for your capture interface and select the interface.

2.png

  1. In the Output tab, click Browse....

3.png

  1. Enter a filename in the Save As: field and select a folder to save captures to. Click Save.

4.png

  1. Select Create a new file automatically after... and Use a ring buffer with x files. This creates a maximum of number of files, with each file set to the size or timeframe configured. For example, creating a new file automatically after 32 megabytes, with a ring buffer of 128 files, will provide 4 gigabytes of rolling captures.

5.png

  1. Click Start. This will take you to a new window that will show the packets that the device is picking up. 

 

  • Was this article helpful?