The packet capture utility can be used to observe live network traffic passed by Cisco Meraki devices. Since captures provide a live snapshot of traffic on the network, they can be immensely helpful in diagnosing and troubleshooting networking issues. This article outlines how to remotely take a packet capture in Dashboard.
Once a capture is complete, the data can only be accessed via the output selected. To ensure privacy and security, packet capture data is not stored in the Meraki cloud.
The packet capture tool is available under Network-wide > Monitor > Packet capture. An additional dropdown will then be available to select which type of device to perform the capture on:
The following sections outline specific capture options for each product's capture utility.
The following options are available for a packet capture on the MR:
The MR allows packet captures on its wired or wireless interface. Captures on the wireless interface are useful to troubleshoot issues when clients have connectivity issues to the access point. Captures from the wired interface an offer insight into the AP's interaction with the LAN.
The following options are available for a packet capture on the MS:
An MS switch has the ability to run a packet capture on one or more ports at a time. Port mirroring can also be used for a longer duration capture. Please see this link for port mirroring configuration.
There is currently no capture size limit, besides a capture time of a maximum 60 seconds. Data is streamed live directly from the switch source interface(s) to the user's browser session (over HTTPS, 443). If there is more traffic being captured than the internet connection allows, the capture may be incomplete. In this case, a port mirror (span) is recommended.
The following options are available for a packet capture on the MX or Z1:
The MX allows users to capture on multiple different interfaces. A capture on the site-to-site VPN interface will contain all Meraki site-to-site VPN traffic (it will not contain 3rd party VPN traffic).
The dashboard provides users with multiple options when it comes to selecting which packets to capture and on which interface. You can also select how to view the capture to review the data.
Note: When performing a packet capture, it is recommended to use the Output > Download .pcap file (for Wireshark) option and open the resulting raw capture in Wireshark. When using this option, the Verbosity option is not available, because all traffic/information is captured.
If you select to "View output below", it display basic data about the ingress/egress packets on the selected interface. If more detail is needed another output type should be selected.
You can download a packet capture file to your local computer by selecting Download .pcap file (for Wireshark). This file can then be opened with a program such as Wireshark. A duration up to 60 seconds can be specified for the capture length. With MR products, the maximum amount of packets captured is 5000.
When the option Output > View output below is chosen, the Verbosity option is used to determine how much detail should be output in the view below. These options correspond to the following flags in tcpdump.
Low -> (No flag)
Provides basic information about the packet's source, destination, and type.
Medium -> -v
When parsing and printing, produce (slightly more) verbose output. For example, the time to live, identification, total length and options in an IP packet are printed. Also enables additional packet integrity checks such as verifying the IP and ICMP header checksum.
High -> -vv
Even more verbose output. For example, additional fields are printed from NFS reply packets, and SMB packets are fully decoded.
Extra high -> -vvv
Even more verbose output. For example, telnet SB ... SE options are printed in full.
The whole ball of wax -> -X
When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and ASCII. Note that use of this flag generates a great deal of output, and should only be used if needed.
The packet capture page contains a link to log of packet captures that have been taken. The log will include the following: date, time, user name, e-mail address, output type, interface, and the filter expression (if any). Here is an example of log entries:
May 22 07:22 Example User <email@example.com> Raw pcap wan0 - May 22 07:19 Example User <firstname.lastname@example.org> Raw pcap wan0 - May 22 07:19 Example User <email@example.com> Raw pcap lan0 - May 22 07:19 Example User <firstname.lastname@example.org> Raw pcap lan0 - May 22 07:19 Example User <email@example.com> Raw pcap lan0 -