Learn more with this free online training course on the Meraki Learning Hub:
Packet captures are required for network troubleshooting.
Packet captures are an important part of troubleshooting network issues. For example, troubleshooting web pages or applications not loading, the inability for clients connect to an SSID, client packet loss, or clients unable to access hosts on the LAN or their default gateway. When captures are taken from multiple points in the physical network path, it is possible to uses this data to narrow down the issue to a certain area of the network or network device where the loss or network failure is occurring.
Packet captures from an administrator may be required when troubleshooting a wireless network issue. This is especially common when the problem is intermittent and difficult to reproduce on demand. Administrators can use the Packet Capture feature in Dashboard and Wireshark, to obtain the necessary captures when the issue occurs then upload them to the Support Case.
Where in the network packet captures need to be taken:
When the network issues occur, packet captures should be taken from each point in the physical network path so packets can be tracked as they traverse different network segments. The key to successfully following the round trip of packets between the client machine and a host is getting the packet captures simultaneously. This can result in up to 6 separate capture files.
Note: Cisco Meraki Support can advise you in determining at which points in the network the captures should be taken. If needed as part of a support case.
Capture 1: A packet capture from the wireless network adapter of the affected wireless client showing all packets being transmitted and received. Wireshark, a free packet capture utility, can be downloaded to the client and used to obtain this capture. The resulting file from this capture should be named using the convention case-number_wireless_client. For example: 00001234_wireless_client.
Capture 2: A packet capture from the wireless interface of the AP the client is connected to show all packets being transmitted and received on the AP. This capture can be taken from Dashboard. The resulting file from this capture should be named using the convention case_wireless_ap for example 00001234_wireless_ap.
Capture 3: A packet capture from the wired interface of the AP showing all packets being transmitted and received on the AP's wired interface. This capture can be taken from Dashboard. The resulting file from this capture should be named using the convention case-number_wired_ap. For example: 00001234_wired_ap.
Capture 4: A packet capture from the switchport the AP is connected to showing packets flowing in and out of the switchport. A port mirror can be used to obtain this capture. The resulting file from this capture should be named using the convention case-number_switchport. For example: 00001234_switchport.
Capture 5: A packet capture from the host the client is trying to access show packets being sent and received. A port mirror or Wireshark installed on the host can be used to obtain this capture. The resulting file from this capture should be named using the convention case-number_host. For example: 00001234_host.
Capture 6: If a customer hosted RADIUS server is being used, a packet capture showing incoming and outgoing RADIUS messages on the RADIUS server needs to be obtained. The resulting file from this capture should be named using the convention case-number_radius_server-ip. For example: 00001234_radius_188.8.131.52.
In order to get these captures simultaneously, start by capturing on the client device, remote host, port mirror and/or RADIUS server first. Since a Dashboard capture can only be 60 seconds or 5000 frames. Once those captures are running, generate some traffic from the client and start the other captures in the Dashboard.
Below are the basic steps to get packet captures from each point in the network. For more information about the Dashboard Packet Capture feature see Packet Capture Overview.
Getting a capture from the client, a device connected to a port mirror or destination host:
- Download and install Wireshark on the affected client.
- Launch Wireshark.
- Find the Capture section.
- Start a capture on the correct network interface as shown below.
- Stop the capture when finished.
- Save the capture file with the correct file name.
Wired host or port mirror host:
Getting a capture from both interfaces of the AP simultaneously:
- Launch 2 browser windows side by side or stacked.
- Login to Dashboard in both browsers.
- Navigate to the Network-wide> Monitor > Packet Capture page in both browsers.
- Select the AP the client is connected to Access point drop down in both browsers.
- In one browser the Capture type will be wireless, in the other,Capture type will be wired.
- The Output should be "Download pcap file" in both browsers.
- Obtain captures simultaneous by clicking the Start capture button at the same time in both browsers.
- Once the captures are finished, you will need to save them. Make sure to name them based on the conventions indicated earlier.
Sharing packet captures with support:
Each packet capture file should have a file name that contains the case number and where the file was taken. Once each capture is saved, place them into a zip folder and upload them to the case in Dashboard. This can be done under Help > Cases. Click on the case, then use the Upload files button in the Files section. Please note the upload feature only accepts files 5MB or less. If the zip folder is too large, each file will need to be uploaded separately. Alternatively Cisco Meraki Support can also accept links to other sharing mechanisms, such as Dropbox.
Required information for analyzing packet captures:
In order to analyze traffic that is specific to the problem, please provide the following in the Interactions section of the case. This can be done under Help > Cases. Click on the case, then use the Add a new comment button in the Interactions section.
- MAC Address or serial number of the AP
- MAC address of the affected client
- SSID the affected client is connecting to
- IP address or MAC address of the destination host
- IP address of the RADIUS server