Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Dynamic and Manual Packet Captures

SUMMARY When investigating communication failures between the client and the access point (AP), you can use the Juniper Mist™ portal to get dynamic and manual packet captures.

Note:

Mist does not collect or store any payload data from packets capture. Only transmission and connection data are used.

Dynamic Packet Captures

Which Events Trigger Dynamic Packet Captures?

Whenever a connection failure event occurs between the wireless client and an access point (AP), it automatically triggers a short-term dynamic packet capture.

These events include:

  • DHCP Timeout—When the client sends a broadcast discover packet but does not receive an offer packet from server.

  • DHCP Denied—When the server sends a DHCP NAK, indicating that the IP address might already be in use.

  • DHCP Terminated—When the Client does not proceed with DHCP request for the offer provided by the server.

  • Authorization Failure—This could be caused due to various reasons (MIC failure, Radius server not responding, Access-Reject from Radius server, client failing to complete the auth process).

  • 11r FBT Failure—This is caused due to client failing 11r roam.

  • OKC Auth Failure—This is caused due to client failing OKC roam.

  • Association Failure—This could be caused due to Tx failures or invalid PMKID included by the client during association request.

Finding the Packet Captures

Dynamic packet captures are saved to the cloud. You can download them from the Insights page.

Video Demo

Anyone who's ever looked at WAN PCAPs know how maddening that can be. Literally everyone at the branch accessing the internet is sending traffic on the WAN. Looking at any particular message sequence will most likely involve combining several PCAPs.

This can be time-consuming and frustrating. However, with Juniper Dynamic Packet Capture, now extended to the WAN, MIST automatically captures all the messages when an incident occurs. You no longer need to grab a bunch of PCAPs to combine them and hope you caught what you were looking for, and there's no need to recreate the issue.

Juniper MIST captures the packets while the issue is occurring, so you have the raw data right away. This drastically reduces MTTR as you no longer need to sort through a mountain of messages to find the ones related to your incident. That's WAN Assurance Dynamic PCAP in 60 seconds.

Example

This example shows how easily you can find dynamic packet captures on the Insights page.

  1. From the left menu, select Monitor > Service Levels.

  2. Click the Insights button to view the Insights page.

  3. Scroll down to the Client Events section.

    Paperclip icons indicate the events with dynamic packet captures.

  4. Click an event to see more details on the right side of the screen.

  5. Below the details, click Download Packet Capture.

    Dynamic Packet Capture Button on the Client Events Section of the Insights Page

Manual Packet Captures

For manual packet captures, go to Site > Packet Captures, where you can:

  • Choose which network type to capture packets from: wired, wireless, or WAN.

    Note:

    Wired packet capture applies to the wired ports of APs (not the switch ports). WAN packet captures support Session Smart Router and SRX WAN edge device ports.

  • Restrict the packet capture to specific clients, WLANs, APs, or wireless bands.

  • Configure the number of packets captured, packet size in bytes, and the duration of the capture session.

  • Configure other capture parameters such as header inclusion and capture filters. See Table 1 for details.

After downloading the packet capture to your computer, follow the steps below to view them in Wireshark.

Configure IEEE 802.11 on Wireshark

Packet inspection requires Wireshark. See https://www.wireshark.org for the download file and related information.

To configure Wireshark to view packets captured from the Juniper Mist portal, follow the steps below:

  1. Open the Wireshark application on your computer.
  2. Open the Wireshark Preferences window:

    On a Windows computer, navigate to Edit > Preferences.

    On a Mac computer, navigate to Wireshark > Preferences.

  3. In the Preferences window, expand the Protocols menu option and scroll down to IEEE 802.11.
    1. Select Yes - with IV and then click OK, as shown in the following image:

View Wireless Packet Captures in Wireshark

You can capture packets from both your wired and wireless networks. The following configuration regards wireless packet, for which you can see:

  • Wireless channel information

  • Wireless data rate

  • Received signal strength indicator (RSSI)

To accomplish this task, you must download and install the Wireshark application on your computer. In a Web browser, navigate to https://www.wireshark.org for Wireshark application downloads and detailed information about Wireshark. For additional information about Wireshark, see https://www.wireshark.org/docs/.

This topic provides minimal guidance about how to configure Wireshark for use in examining wireless packet captures gathered from the Juniper Mist portal.

  1. Open the Wireshark application on your computer.
  2. Open the Wireshark Preferences window:

    On a Windows computer, navigate to Edit > Preferences.

    On a Mac computer, navigate to Wireshark > Preferences.

  3. In the Preferences window, navigate to Appearance > Columns.
  4. Click the Add (+) button to add a new radiotap column to the Wireshark display (radiotap headers include wireless packet frames that would otherwise not be displayed. See: https://www.wireshark.org/docs/dfref/r/radiotap.html.
    Wireshark adds a new line called New Column, and the type Number.
    1. Double-click the New Column title and type Channel as the title.
    2. Double-click the Type column and select Frequency/Channel from the drop-down menu.
    3. Leave the Displayed column selected.
  5. Repeat Step 4 two times
    1. The first time, use Data Rate for the column title and IEEE 802.11 TX Rate for the type.
    2. The second time, use RSSI as the column title and IEEE 802.11 RSSI for the type.
  6. Click OK to save your changes.
    Wireshark will display the new columns when you open a packet capture (.pcap) file for viewing.

Manual Packet Capture Options

By default, Juniper Mist streams the packet capture session data, including beacon frames, to the Mist portal. The following table describes the packet capture options that you can use when you create a packet capture session.
Table 1: Packet Capture Options
Option Name Option Function Usage Notes Firmware Notes
Include Network Headers Include packet headers in addition to the packet data. Packet capture works by buffering packets locally on the device, meaning there is limited space available for storage. By default, Mist truncates header data from the captured packets to reduce the size of capture files while still providing the most relevant information.
Local Capture Do not stream the live capture data to the Mist GUI. Earlier AP firmware did not support live streaming packet captures to the Juniper Mist portal. Required for AP firmware versions before 0.10.x
Canned Filters Pre-defined filters that vary based on the type of packet capture you're performing. The filters available in the list change depending on whether you're capturing wireless, wired, or WAN packets. For example, beacon frames are only available for wireless packet captures.
Advanced Filters Create your own packet filters for the capture session using tcpdump syntax.   0.10.x or later
Expression Builder Interactive GUI tool to build custom filters in tcpdump syntax for use in the capture session. You can let the builder start the filter entry and then add to or delete from the entry manually. 0.10.x or later