Dynamic and Manual Packet Captures
SUMMARY When investigating communication failures between the client and the access point (AP), you can use the Juniper Mist™ portal to get dynamic and manual packet captures.
Mist does not collect or store any payload data from packets capture. Only transmission and connection data are used.
Dynamic Packet Captures
Which Events Trigger Dynamic Packet Captures?
Whenever a connection failure event occurs between the wireless client and an access point (AP), it automatically triggers a short-term dynamic packet capture.
These events include:
-
DHCP Timeout—When the client sends a broadcast discover packet but does not receive an offer packet from server.
-
DHCP Denied—When the server sends a DHCP NAK, indicating that the IP address might already be in use.
-
DHCP Terminated—When the Client does not proceed with DHCP request for the offer provided by the server.
-
Authorization Failure—This could be caused due to various reasons (MIC failure, Radius server not responding, Access-Reject from Radius server, client failing to complete the auth process).
-
11r FBT Failure—This is caused due to client failing 11r roam.
-
OKC Auth Failure—This is caused due to client failing OKC roam.
-
Association Failure—This could be caused due to Tx failures or invalid PMKID included by the client during association request.
Finding the Packet Captures
Dynamic packet captures are saved to the cloud. You can download them from the Insights page.
Video Demo
Anyone who's ever looked at WAN PCAPs know how maddening that can be. Literally everyone at the branch accessing the internet is sending traffic on the WAN. Looking at any particular message sequence will most likely involve combining several PCAPs.
This can be time-consuming and frustrating. However, with Juniper Dynamic Packet Capture, now extended to the WAN, MIST automatically captures all the messages when an incident occurs. You no longer need to grab a bunch of PCAPs to combine them and hope you caught what you were looking for, and there's no need to recreate the issue.
Juniper MIST captures the packets while the issue is occurring, so you have the raw data right away. This drastically reduces MTTR as you no longer need to sort through a mountain of messages to find the ones related to your incident. That's WAN Assurance Dynamic PCAP in 60 seconds.
Example
This example shows how easily you can find dynamic packet captures on the Insights page.
From the left menu, select Monitor > Service Levels.
Click the Insights button to view the Insights page.
Scroll down to the Client Events section.
Paperclip icons indicate the events with dynamic packet captures.
Click an event to see more details on the right side of the screen.
Below the details, click Download Packet Capture.
Manual Packet Captures
For manual packet captures, go to Site > Packet Captures, where you can:
-
Choose which network type to capture packets from: wired, wireless, or WAN.
Note:Wired packet capture applies to the wired ports of APs (not the switch ports). WAN packet captures support Session Smart Router and SRX WAN edge device ports.
-
Restrict the packet capture to specific clients, WLANs, APs, or wireless bands.
-
Configure the number of packets captured, packet size in bytes, and the duration of the capture session.
-
Configure other capture parameters such as header inclusion and capture filters. See Table 1 for details.
After downloading the packet capture to your computer, follow the steps below to view them in Wireshark.
Configure IEEE 802.11 on Wireshark
Packet inspection requires Wireshark. See https://www.wireshark.org for the download file and related information.
To configure Wireshark to view packets captured from the Juniper Mist portal, follow the steps below:
View Wireless Packet Captures in Wireshark
You can capture packets from both your wired and wireless networks. The following configuration regards wireless packet, for which you can see:
-
Wireless channel information
-
Wireless data rate
-
Received signal strength indicator (RSSI)
To accomplish this task, you must download and install the Wireshark application on your computer. In a Web browser, navigate to https://www.wireshark.org for Wireshark application downloads and detailed information about Wireshark. For additional information about Wireshark, see https://www.wireshark.org/docs/.
This topic provides minimal guidance about how to configure Wireshark for use in examining wireless packet captures gathered from the Juniper Mist portal.
Manual Packet Capture Options
Option Name | Option Function | Usage Notes | Firmware Notes |
---|---|---|---|
Include Network Headers | Include packet headers in addition to the packet data. | Packet capture works by buffering packets locally on the device, meaning there is limited space available for storage. By default, Mist truncates header data from the captured packets to reduce the size of capture files while still providing the most relevant information. | – |
Local Capture | Do not stream the live capture data to the Mist GUI. | Earlier AP firmware did not support live streaming packet captures to the Juniper Mist portal. | Required for AP firmware versions before 0.10.x |
Canned Filters | Pre-defined filters that vary based on the type of packet capture you're performing. | The filters available in the list change depending on whether you're capturing wireless, wired, or WAN packets. For example, beacon frames are only available for wireless packet captures. | – |
Advanced Filters | Create your own packet filters for the capture session using
tcpdump syntax. |
0.10.x or later | |
Expression Builder | Interactive GUI tool to build custom filters in
tcpdump syntax for use in the capture
session. |
You can let the builder start the filter entry and then add to or delete from the entry manually. | 0.10.x or later |