Meraki

Community

Packet Capture on a Mirrored Port?

Bassman
Here to help
‎Aug 30 2018 8:06 AM
‎Aug 30 2018 8:06 AM

Packet Capture on a Mirrored Port?

We have a MS425 Merkai switch and mirror traffic from 3 ports to port 14.  Port 14 is then connected to security appliance to analyse for any security breaches etc.

 

I would like to use the option within the Meraki console to run a packet capture on Port 14, but when I do there is no data captured.  This must be something to do with the port being configured as a mirrored ports as it works on all other ports.  When I do run a packet capture on Port 14, the only output that I get is:-

 

--- Start Of Stream ---
reading from file /tmp/click_pcap_dump, link-type EN10MB (Ethernet)
--- End Of Stream ---

 

I assume that this is normal and I cannot capture port traffic on the mirrored port by using the Meraki console?

 

Thanks.

0 Kudos
3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 30 2018 8:52 AM
‎Aug 30 2018 8:52 AM

Hmm, that doesn't surprise me.  Can you do a capture on port 3?  I'm guessing that won't work either (or worse, might break the mirror session).

0 Kudos
In response to PhilipDAth
Adam
Kind of a big deal
‎Aug 30 2018 10:42 AM
‎Aug 30 2018 10:42 AM

So two suggestions on this:

1.  Have you tried doing a capture to a pcap file instead of to the display to see if it makes any difference?  Are you seeing the traffic on the device connected to that mirror destination port?

2.  I had a similar issue to this with one of our Meraki switches where I couldn't see the mirror traffic in a capture either because the ports weren't in the same asic (maybe wrong terminology there).  I can't remember how many ports are grouped together in an asic (maybe 16) but basically, I had to make sure the source and destination ports were in the same asic for it to work properly. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
In response to PhilipDAth
Bassman
Here to help
‎Sep 7 2018 6:47 AM
‎Sep 7 2018 6:47 AM

Thanks for the response. No, that doesn't work either. I connected a PC running wire shark directly to the mirrored port for testing and can see that the port is indeed mirroring data, just the data capture does not work. This is for both and on-screen and to a file capture.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.