Skip to main content
Cisco Meraki Documentation

Packet Capture Overview

如欲查看中文版本,请点击 这里

 

The packet capture utility can be used to observe live network traffic passed by Cisco Meraki devices. Since captures provide a live snapshot of traffic on the network, they can be immensely helpful in diagnosing and troubleshooting network issues. This article outlines how to remotely take a packet capture in Dashboard.

Cisco Meraki Support seeks prior written permission from a customer’s Organization Administrator or Network Administrator before initiating a packet capture on behalf of a customer.

Tx-Packet-Capture1.png

 

Once a capture is complete, the data can only be accessed via the output selected. To ensure privacy and security, packet capture data is not stored in the Meraki cloud.

Only Organization-wide and Network-wide administrator accounts will full access can use the packet capture tool. Read-only and monitor-only network administrator accounts will not be able to access this tool.

Learn more with this free online training course on the Meraki Learning Hub:

Sign in with your Cisco SSO or create a free account to start training.

Capturing on Each Product

The packet capture tool is available under Network-wide > Monitor > Packet Capture. An additional dropdown will then be available to select which type of device to perform the capture on:

Greenshot 2017-07-20 08.59.23.png

The following sections outline specific capture options for each product's capture utility.

Access Points

The following options are available for packet captures on Access points:

  • Access point: Select one or more access points to run the capture on.

If packet capture is set to be taken on "All Access Points" and the number of access points in the network (both online and offline) is larger than 100, the capture will fail. 

  • Capture type: Select the interface to run the capture on;
    • wired - captures wired/uplink traffic from one or more RJ45 ports on the Access point.
    • wireless - captures wireless traffic
    • LAN - on some access point models, such as the MR30H, you can capture traffic from four LAN access ports.
  • Output: Select how the capture should be displayed; view output or download .pcap.
  • Ignore: Optionally ignore capturing broadcast/multicast traffic.
  • Filter expressions: Apply a capture filter.

Access points allow packet captures on the wired or wireless interface. Captures on the wireless interface are useful to troubleshoot issues when clients have connectivity issues to the access point.  Captures from the wired interface an offer insight into the access point's interaction with the LAN.

Note that packet captures taken on the wired interface of access points running MR 27.0+ firmware will not display 802.1q VLAN tags.

 

Access Point Tx Captures (Beta only)

Beginning with R30, users have the capability to perform bidirectional captures on Wi-Fi 6/6E Access points except MR45/55. This enables a user to obtain a comprehensive perspective of their access point captures and effectively handle certain issues related to the reordering of Tx packet captures. 

While doing a packet capture, incoming (Rx) packets are consistently delivered in the intended order. However, the same level of ordering is not guaranteed for outgoing (Tx) packets. Because Rx and Tx packets can follow distinct paths, delays may vary. As a result, the packet capture file's sequence numbers may vary from those in the over-the-air packet transmission due to the data plane processing of the access point and the inherent asynchronicity of the transmission.

Tx Capture button will ensure that these Tx packets are reordered in the correct sequence by using timestamp information and sequence number.  

You can activate this feature by marking the checkbox displayed underneath:

Tx-Packet-Capture1.png

if same network has Wi-Fi 5 Wave 2 or older access point models which do not support Tx Capture, there will be a disclaimer message indicate that not every AP can support Tx capture. The check box will be Grayed out if an unsupported access point is selected.

Tx-Packet-Capture2.png 2023-10-25 08-16-31.png 

   
 

Note: The default behavior of client packet captures is to capture traffic sourcing from the client. If a bi-directional (to and from) capture from a specific source and destination is required, use this filter wlan addr1 <MAC> or wlan addr2 <MAC>. Addr1 and Addr2 represents source and destination respectively.

Switches

The following options are available for packet captures on Switches:

  • Switch: Select the switch to run the capture on.

  • Switch ports: Select the switch port(s) to run the capture on.
  • Output: Select how the capture should be displayed; view output or download .pcap.
  • Verbosity: Select the level of the packet capture (only available when viewing the output to the directly to Dashboard).
  • Ignore: Optionally ignore capturing broadcast/multicast traffic.
  • Filter expressions: Apply a capture filter.

A switch has the ability to run a packet capture on one or more switch ports at a time. Switch port mirroring can also be used for a longer duration capture. Please see this link for switch port mirroring configuration.

There is currently no capture size limit, besides a capture time of a maximum 60 seconds. Data is streamed live directly from the switch source interface(s) to the user's browser session (over HTTPS, 443). If there is more traffic being captured than the internet connection allows, the capture may be incomplete. In this case, a switch port mirror (span) is recommended.

Note that packet captures on access switch ports may show an 802.1q VLAN tag on ingress and egress traffic. This behavior is a consequence of how packet captures are performed on MS switches.

The Meraki MS120 and MS125 series switches do not support Dashboard-based packet captures on network switch ports connected to other Meraki MS switches within the same Dashboard Network.

WAN Appliances and Teleworker Gateways

The following options are available for packet captures on WAN appliances or Teleworker gateways:

  • Security appliances: The WAN appliance or Teleworker gateway the capture will run on.
  • Interface: Select the interface to run the capture on; the interface names will vary depending on the WAN appliance configuration. A few examples of interfaces you may see are:
    • Internet 1 or Internet 2 - Capture traffic on one active WAN uplink.  Internet 2 will only appear if there is a second WAN link.
    • LAN - Captures traffic from all LAN ports
    • Cellular - Captures cellular traffic from the integrated cellular interface.  This does not apply to USB modems.
    • Site-to-Site VPN - Captures AutoVPN traffic (WAN appliance/Teleworker gateway to WAN appliance/Teleworker gateway only).  This does not apply to Non-Meraki VPN peers.
  • Output: Select how the capture should be displayed; view output or download .pcap.
  • Verbosity: Select the level of the packet capture (only available when viewing the output to the directly to Dashboard).
  • Ignore: Optionally ignore capturing broadcast/multicast traffic.
  • Filter expressions: Apply a capture filter.

The WAN appliance/Teleworker gateway allows users to capture on multiple different interfaces.  A capture on the site-to-site VPN interface will contain all Meraki site-to-site VPN traffic (it will not contain 3rd party VPN traffic).

NOTE: WAN Appliances and Teleworker Gateways cannot capture traffic that they switch between LAN clients; only routed traffic, or broadcast and multicast traffic that is flooded on the LAN will be visible.

Capturing on Multiple Interfaces

When troubleshooting problems on the network, it is important to try and isolate any hardware that is not handling traffic appropriately. Simultaneous packet captures on multiple ports are useful because they allow the user to see a more complete picture of how traffic is flowing.

This article explains how to capture traffic simultaneously on multiple interfaces of a Meraki device, and how to analyze that traffic to detect potential issues

Capture Options

The dashboard provides users with multiple options when it comes to selecting which packets to capture and on which interface.  You can also select how to view the capture to review the data.

Note: When performing a packet capture, it is recommended to use the Output > Download .pcap file (for Wireshark) option and open the resulting raw capture in Wireshark. When using this option, the Verbosity option is not available, because all traffic/information is captured.

Note: When the option Output > Download .pcap file (for Wireshark) is selected, the capture will stop after 60 seconds if there is no traffic captured, regardless of the duration set.

View Output in Web Browser

If you select to "View output below", it display basic data about the ingress/egress packets on the selected interface.  If more detail is needed another output type should be selected.

Screen Shot 2015-08-20 at 1.44.31 PM.png

Note: When selecting the option 'View output below,' the capture will stop after 20 seconds if there is no traffic captured, regardless of the duration set on the settings.

Verbosity level descriptions

When the option Output > View output below is chosen, the Verbosity option is used to determine how much detail should be output in the view below. These options correspond to the following flags in tcpdump.

 

Low -> (No flag)

Provides basic information about the packet's source, destination, and type.

 

Medium -> -v

When parsing and printing, produce (slightly more) verbose output. For example, the time to live, identification, total length and options in an IP packet are printed. Also enables additional packet integrity checks such as verifying the IP and ICMP header checksum.

 

High -> -vv

Even more verbose output. For example, additional fields are printed from NFS reply packets, and SMB packets are fully decoded.

 

Extra high -> -vvv

Even more verbose output. For example, telnet SB ... SE options are printed in full.

 

The whole ball of wax -> -X

When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and ASCII. Note that use of this flag generates a great deal of output, and should only be used if needed.

 

Download .pcap

You can download a packet capture file to your local computer by selecting Download .pcap file (for Wireshark).  This file can then be opened with a program such as Wireshark seconds that can be specified for the capture length. With MR products, the maximum amount of packets captured is 100,000.

Additional information on how to filter and utilize the .pcap file can be found in the Wireshark Wiki

Rolling Captures

A "Rolling Capture" is a capture which automatically saves the output to files at set intervals and can break up a large capture into multiple smaller files. This can be extremely useful when trying to run a long-term capture for troubleshooting intermittent troubles such as choppy audio on VOIP.

Best Way to Run Rolling Captures

For some issues, it may be necessary to perform port mirrors or span port captures which run for long periods of time until the issue occurs. The goal is to run a capture and once the issue surfaces stop the packet capture. If a packet capture is run for a long duration of time, 6 hours, for example, the .pcap file will be too large for your computer to open as captures larger than 100mb become too difficult to open on some computers. To mitigate this trouble, the capture can be set with multiple different options which makes this easier. 

What is the Ring Buffer

Ring Buffers can be set to ensure that you will not fill up all of the disk space on your device. It will start overwriting the oldest file based on how many files you specify. This does not have to be used, but it is useful to ensure you do not fill up your HDD.

Taking a Rolling Capture

  1. Open Wireshark.
  2. Click Capture Options.

1.png

  1. Uncheck "Enable promiscuous mode on all interfaces", check the "Promiscuous" option for your capture interface and select the interface.

2.png

  1. In the "Output" tab, click "Browse...".

3.png

  1. Enter a filename in the "Save As:" field and select a folder to save captures to. Click Save.

4.png

  1. Select "Create a new file automatically after..." and "Use a ring buffer with x files". This creates a maximum of number of files, with each file set to the size or timeframe configured. For example, creating a new file automatically after 32 megabytes, with a ring buffer of 128 files, will provide 4 gigabytes of rolling captures.

5.png

  1. Click start. This will take you to a new window that will show the packets that the device is picking up.