Important note about packet captures...

Mr_IT_Guy
A model citizen

Important note about packet captures...

I'm currently on a call with support at the moment and learned something very interesting about captures from the engineer. When doing a packet capture, you see a note that says "This capture will stop after x seconds, or when x packets have been captured". It is important to know that the "when x packets have been captured" is misleading. If you apply a filter to the capture, even if a packet doesn't meet the criteria of the filter, it still counts towards your "x packets" number.

 

I had been wondering why some of my packet captures had been turning up little to know information at times and this explains why! Hope this helps someone else.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
5 Replies 5
MerakiDave
Meraki Employee
Meraki Employee

Yes, this is the correct behavior, sorry if it's not obvious from the description or documentation.  If you want to capture the first 30 packets of a particular sequence, and you apply a filter, and also tell it to stop capturing after 30 packets... If there are then more than 30 packets before the sequence of interest, you'll miss it.  As you stated, the 'X' packets counter is prior to any filtering.

 

Uberseehandel
Kind of a big deal


@MerakiDave wrote:

Yes, this is the correct behavior, sorry if it's not obvious from the description or documentation.  If you want to capture the first 30 packets of a particular sequence, and you apply a filter, and also tell it to stop capturing after 30 packets... If there are then more than 30 packets before the sequence of interest, you'll miss it.  As you stated, the 'X' packets counter is prior to any filtering.

 


This is a problem well known to Data Scientists and Informaticists. The better tools allow one to process / filter until the (desired) number of data items of interest has been collected. This is pretty basic stuff. Along with not creating dashboards that make the more numerate chortle.

I'm also tired of seeing a number series sorted alphabetically (0, 1, 10, ..... 19, 2, 20, 21). 

Please employ more Data Scientists.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
MilesMeraki
Head in the Cloud

Thanks for the share, this is news to me.

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
ww
Kind of a big deal
Kind of a big deal

dashboard packet capture has limited use as long it is not reliable capturing packets.

bigben386
Getting noticed

Anyone else have issues getting the pcaps to run for more than 30 seconds if they apply a filter? I set the timeout to 1200 seconds and apply a filter. If no packets are returned in a few seconds that match the filter, the pcap stops. The PPS rate is not high enough to be triggering the unfiltered packet limit. I want to be able to see some specific traffic in real time. The other option is to download the pcap but I cannot get a download capture to run for more than ~2 minutes.

Get notified when there are additional replies to this discussion.