Home > Switches > Monitoring and Reporting > Packet Capture Overview

Packet Capture Overview

如欲查看中文版本,请点击 这里

 

The packet capture utility can be used to observe live network traffic passed by Cisco Meraki devices. Since captures provide a live snapshot of traffic on the network, they can be immensely helpful in diagnosing and troubleshooting networking issues. This article outlines how to remotely take a packet capture in Dashboard.

Once a capture is complete, the data can only be accessed via the output selected. To ensure privacy and security, packet capture data is not stored in the Meraki cloud.

Capturing on Each Product

The packet capture tool is available under Network-wide > Monitor > Packet capture. An additional dropdown will then be available to select which type of device to perform the capture on:



The following sections outline specific capture options for each product's capture utility.

MR - Access points

The following options are available for a packet capture on the MR:

  • Access point: Select one or more MR's to run the capture on.
  • Capture type: Select the interface to run the capture on; wired or wireless.
  • Output: Select how the capture should be displayed; view output or download .pcap.
  • Ignore: Optionally ignore capturing broadcast/multicast traffic.
  • Filter expressions: Apply a capture filter.

The MR allows packet captures on its wired or wireless interface. Captures on the wireless interface are useful to troubleshoot issues when clients have connectivity issues to the access point.  Captures from the wired interface an offer insight into the AP's interaction with the LAN.

MS - Switches

The following options are available for a packet capture on the MS:

  • Switch: Select the switch to run the capture on.
  • Ports: Select the port(s) to run the capture on.
  • Output: Select how the capture should be displayed; view output or download .pcap.
  • Verbosity: Select the level of the packet capture (only available when viewing the output to the directly to Dashboard).
  • Ignore: Optionally ignore capturing broadcast/multicast traffic.
  • Filter expressions: Apply a capture filter.

An MS switch has the ability to run a packet capture on one or more ports at a time. Port mirroring can also be used for a longer duration capture. Please see this link for port mirroring configuration.

There is currently no capture size limit, besides a capture time of a maximum 60 seconds. Data is streamed live directly from the switch source interface(s) to the user's browser session (over HTTPS, 443). If there is more traffic being captured than the internet connection allows, the capture may be incomplete. In this case, a port mirror (span) is recommended.

Note that packet captures on access ports may show an 802.1q VLAN tag on ingress traffic. This behavior is a feature of the packet capture utility on the MS switch.

MX/Z1 - Appliances

The following options are available for a packet capture on the MX or Z1:

  • Appliance: The appliance the capture will run on.
  • Interface: Select the interface to run the capture on; the interface names will vary depending on the appliance configuration.
  • Output: Select how the capture should be displayed; view output or download .pcap.
  • Verbosity: Select the level of the packet capture (only available when viewing the output to the directly to Dashboard).
  • Ignore: Optionally ignore capturing broadcast/multicast traffic.
  • Filter expressions: Apply a capture filter.

The MX allows users to capture on multiple different interfaces.  A capture on the site-to-site VPN interface will contain all Meraki site-to-site VPN traffic (it will not contain 3rd party VPN traffic).

Capture Options

The dashboard provides users with multiple options when it comes to selecting which packets to capture and on which interface.  You can also select how to view the capture to review the data.

Note: When performing a packet capture, it is recommended to use the Output > Download .pcap file (for Wireshark) option and open the resulting raw capture in Wireshark. When using this option, the Verbosity option is not available, because all traffic/information is captured.

View Output in Web Browser

If you select to "View output below", it display basic data about the ingress/egress packets on the selected interface.  If more detail is needed another output type should be selected.

Download .pcap

You can download a packet capture file to your local computer by selecting Download .pcap file (for Wireshark).  This file can then be opened with a program such as Wireshark.  A duration up to 60 seconds can be specified for the capture length. With MR products, the maximum amount of packets captured is 5000.

 

Verbosity level descriptions

When the option Output > View output below is chosen, the Verbosity option is used to determine how much detail should be output in the view below. These options correspond to the following flags in tcpdump.

 

Low -> (No flag)

Provides basic information about the packet's source, destination, and type.

 

Medium -> -v

When parsing and printing, produce (slightly more) verbose output. For example, the time to live, identification, total length and options in an IP packet are printed. Also enables additional packet integrity checks such as verifying the IP and ICMP header checksum.

 

High -> -vv

Even more verbose output. For example, additional fields are printed from NFS reply packets, and SMB packets are fully decoded.

 

Extra high -> -vvv

Even more verbose output. For example, telnet SB ... SE options are printed in full.

 

The whole ball of wax -> -X

When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and ASCII. Note that use of this flag generates a great deal of output, and should only be used if needed.

Packet Capture Logs

The packet capture page contains a link to log of packet captures that have been taken.  The log will include the following: date, time, user name, e-mail address, output type, interface, and the filter expression (if any). Here is an example of log entries:

May 22 07:22 Example User <example.user@example.com> Raw pcap wan0 - 
May 22 07:19 Example User <example.user@example.com> Raw pcap wan0 - 
May 22 07:19 Example User <example.user@example.com> Raw pcap lan0 - 
May 22 07:19 Example User <example.user@example.com> Raw pcap lan0 - 
May 22 07:19 Example User <example.user@example.com> Raw pcap lan0 -

You must to post a comment.
Last modified
19:14, 19 Jul 2017

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 2324

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case