Home > General Administration > Cross-Platform Content > Packet Capture Overview

Packet Capture Overview

The packet capture utility can be used to observe live network traffic passed by Cisco Meraki devices. Since captures provide a live snapshot of traffic on the network, they can be immensely helpful in diagnosing and troubleshooting network issues. This article outlines how to remotely take a packet capture in Dashboard.

Once a capture is complete, the data can only be accessed via the output selected. To ensure privacy and security, packet capture data is not stored in the Meraki cloud.

Capturing on Each Product

The packet capture tool is available under Network-wide > Monitor > Packet Capture. An additional dropdown will then be available to select which type of device to perform the capture on:



The following sections outline specific capture options for each product's capture utility.

MR - Access points

The following options are available for a packet capture on the MR:

  • Access point: Select one or more MR's to run the capture on.
  • Capture type: Select the interface to run the capture on; wired or wireless.
  • Output: Select how the capture should be displayed; view output or download .pcap.
  • Ignore: Optionally ignore capturing broadcast/multicast traffic.
  • Filter expressions: Apply a capture filter.

The MR allows packet captures on its wired or wireless interface. Captures on the wireless interface are useful to troubleshoot issues when clients have connectivity issues to the access point.  Captures from the wired interface an offer insight into the AP's interaction with the LAN.

MS - Switches

The following options are available for a packet capture on the MS:

  • Switch: Select the switch to run the capture on.
  • Ports: Select the port(s) to run the capture on.
  • Output: Select how the capture should be displayed; view output or download .pcap.
  • Verbosity: Select the level of the packet capture (only available when viewing the output to the directly to Dashboard).
  • Ignore: Optionally ignore capturing broadcast/multicast traffic.
  • Filter expressions: Apply a capture filter.

An MS switch has the ability to run a packet capture on one or more ports at a time. Port mirroring can also be used for a longer duration capture. Please see this link for port mirroring configuration.

There is currently no capture size limit, besides a capture time of a maximum 60 seconds. Data is streamed live directly from the switch source interface(s) to the user's browser session (over HTTPS, 443). If there is more traffic being captured than the internet connection allows, the capture may be incomplete. In this case, a port mirror (span) is recommended.

Note that packet captures on access ports may show an 802.1q VLAN tag on ingress traffic. This behavior is a feature of the packet capture utility on the MS switch.

MX/Z1 - Appliances

The following options are available for a packet capture on the MX or Z1:

  • Appliance: The appliance the capture will run on.
  • Interface: Select the interface to run the capture on; the interface names will vary depending on the appliance configuration.
  • Output: Select how the capture should be displayed; view output or download .pcap.
  • Verbosity: Select the level of the packet capture (only available when viewing the output to the directly to Dashboard).
  • Ignore: Optionally ignore capturing broadcast/multicast traffic.
  • Filter expressions: Apply a capture filter.

The MX allows users to capture on multiple different interfaces.  A capture on the site-to-site VPN interface will contain all Meraki site-to-site VPN traffic (it will not contain 3rd party VPN traffic).

Capturing on Multiple Interfaces

When troubleshooting problems on the network, it is important to try and isolate any hardware that is not handling traffic appropriately. Simultaneous packet captures on multiple ports are useful because they allow the user to see a more complete picture of how traffic is flowing.

This article explains how to capture traffic simultaneously on multiple interfaces of a Meraki device, and how to analyze that traffic to detect potential issues

Capture Options

The dashboard provides users with multiple options when it comes to selecting which packets to capture and on which interface.  You can also select how to view the capture to review the data.

Note: When performing a packet capture, it is recommended to use the Output > Download .pcap file (for Wireshark) option and open the resulting raw capture in Wireshark. When using this option, the Verbosity option is not available, because all traffic/information is captured.

View Output in Web Browser

If you select to "View output below", it display basic data about the ingress/egress packets on the selected interface.  If more detail is needed another output type should be selected.

Note: When selecting the option 'View output below,' the capture will stop after 20 seconds if there is no traffic captured, regardless of the duration set on the settings.

Verbosity level descriptions

When the option Output > View output below is chosen, the Verbosity option is used to determine how much detail should be output in the view below. These options correspond to the following flags in tcpdump.

 

Low -> (No flag)

Provides basic information about the packet's source, destination, and type.

 

Medium -> -v

When parsing and printing, produce (slightly more) verbose output. For example, the time to live, identification, total length and options in an IP packet are printed. Also enables additional packet integrity checks such as verifying the IP and ICMP header checksum.

 

High -> -vv

Even more verbose output. For example, additional fields are printed from NFS reply packets, and SMB packets are fully decoded.

 

Extra high -> -vvv

Even more verbose output. For example, telnet SB ... SE options are printed in full.

 

The whole ball of wax -> -X

When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and ASCII. Note that use of this flag generates a great deal of output, and should only be used if needed.

 

Download .pcap

You can download a packet capture file to your local computer by selecting Download .pcap file (for Wireshark).  This file can then be opened with a program such as Wireshark.  A duration up to 60 seconds can be specified for the capture length. With MR products, the maximum amount of packets captured is 5000.

Additional information on how to filter and utilize the .pcap file can be found in the Wireshark Wiki

Rolling Captures

A "Rolling Capture" is a capture which automatically saves the output to files at set intervals and can break up a large capture into multiple smaller files. This can be extremely useful when trying to run a long-term capture for troubleshooting intermittent troubles such as choppy audio on VOIP.

Best Way to Run Rolling Captures

For some issues, it may be necessary to perform port mirrors or span port captures which run for long periods of time until the issue occurs. The goal is to run a capture and once the issue surfaces stop the packet capture. If a packet capture is run for a long duration of time, 6 hours, for example, the .pcap file will be too large for your computer to open as captures larger than 100mb become too difficult to open on some computers. To mitigate this trouble, the capture can be set with multiple different options which makes this easier. 

What is the Ring Buffer

Ring Buffers can be set to ensure that you will not fill up all of the disk space on your device. It will start overwriting the oldest file based on how many files you specify. This does not have to be used, but it is useful to ensure you do not fill up your HDD.

Taking a Rolling Capture

  1. Open Wireshark.
  2. Click Capture Options.

1.png

  1. Uncheck "Enable promiscuous mode on all interfaces", check the "Promiscuous" option for your capture interface and select the interface.

2.png

  1. In the "Output" tab, click "Browse...".

3.png

  1. Enter a filename in the "Save As:" field and select a folder to save captures to. Click Save.

4.png

  1. Select "Create a new file automatically after..." and "Use a ring buffer with x files". This creates a maximum of number of files, with each file set to the size or timeframe configured. For example, creating a new file automatically after 32 megabytes, with a ring buffer of 128 files, will provide 4 gigabytes of rolling captures.

5.png

  1. Click start. This will take you to a new window that will show the packets that the device is picking up. 

 

 

Last modified

Tags

Classifications

This page has no classifications.

Other Languages

Explore the Product

Click to Learn More

Article ID

ID: 1881

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community