Articles

Analyzing Network Traffic With Meraki Port Mirroring


March 7th, 2026 9 minute read

Table of Contents

Port mirroring copies traffic from one or more "source" ports to a single "destination" port for analysis. When you are troubleshooting complex network issues—like dropped packets, jittery VoIP calls, or suspicious connectivity requests—viewing the raw data is often the only way to find the root cause.

This guide covers the entire workflow required to capture and analyze that data effectively. We will look at how to enable the mirror session in the Meraki Dashboard, how to handle hardware-specific VLAN tagging behavior, and how to tune Wireshark to ensure you get a clean, usable trace.

Configuring The Mirror Session In Dashboard

Setting up a port mirror on a Meraki MS switch is significantly faster than traditional methods, but it still requires following specific architectural rules. You need to know exactly which ports are involved and ensure your destination port is free to accept the data stream without conflicting with other network operations.

The configuration process relies on a strict relationship between the ports you want to watch and the port where your analysis tool sits. You can configure a "One-to-One" or "Many-to-One" relationship, meaning multiple source ports can be mirrored, but they must all funnel traffic to a single destination port.

Identifying Source Interfaces

The first step in the configuration is selecting the interfaces that carry the traffic you need to inspect. You should select the specific ports connected to the device or uplink experiencing issues.

Designating The Probe Port

The probe port, or destination port, is where you will plug in your laptop or analysis tool. This port transforms once mirroring is enabled. It ceases to function as a standard network port and becomes a dedicated stream for copied traffic. While mirroring is active, the port does not forward normal production traffic.

Stack Membership Requirements

Source and destination ports must reside on the same physical switch or within the same hardware switch stack. Mirroring logic occurs at the hardware level inside that switch or stack.

While technically possible in the Dashboard, using an active uplink port as a destination is strongly discouraged as it can sever the switch’s management connection to the Meraki Cloud. You should always choose a standard access port for your destination.

If you are using Link Aggregation (LACP) for higher bandwidth, you must follow these destination rules.

  • Aggregate (LACP) ports can serve as sources.

  • LACP ports can never be used as destinations.

Understanding VLAN Tagging Behavior

Meraki switches handle VLAN tags differently depending on the hardware family and firmware version in use.

There are two general egress behaviors found across Meraki hardware: True Egress and Tagged Egress.

Because VLAN tagging behavior can vary by model and firmware, you should consult official Meraki documentation for your specific switch when validating expected behavior.

Untagged Native VLAN Handling

In "True Egress" mode, traffic on the native VLAN is sent out of the destination port untagged. This mimics how a standard client port behaves. You will not see VLAN tags for the native VLAN in Wireshark in this mode.

Preserved Tagging On Egress

In Tagged Egress mode, the native VLAN is preserved with tagging on output. This means packets leaving the destination port may carry an 802.1Q header, even for traffic that would normally be untagged on a standard access port.

Hardware Group A

The following models use True Egress, where native VLAN traffic is untagged:

  • MS22, MS42

  • MS120

  • MS220

  • MS320, MS350, MS390

  • MS410

  • Meraki managed and monitored Catalyst switches

Hardware Group B

The following models use Tagged Egress, where the native VLAN is preserved:

  • MS225, MS250

  • MS420, MS425

Hardware Setup For The Capture Station

Physically connecting your capture laptop requires preparation because the destination port behaves differently from a standard switch port. When a port is configured as a mirror destination, it stops processing normal network protocols.

This creates what is known as the "Black Hole" effect. Your laptop will lose its ability to talk to the network normally. It allows you to listen to traffic, but not to transmit requests like DNS lookups.

Cabling the Analyst Workstation

To properly connect your workstation, follow these physical setup steps:

  • Connect your laptop directly to the designated destination port using a standard Ethernet cable.

  • Disable your Wi-Fi to prevent the OS from trying to route traffic over a wireless connection.

  • Ensure the physical link is active on your laptop NIC.

Network Isolation on Mirror Ports

Once plugged in, you must verify the isolation behavior:

  • Do not expect internet access, as the connection is effectively unidirectional.

  • Confirm the destination port is sending data to your NIC but not accepting traffic from it.

  • Recognize that this isolation is intentional to prevent capture data from loopbacks.

Interpreting APIPA Assignments

Your IP address status confirms whether the isolation is working correctly:

  • Check your network settings for a 169.254.x.x (APIPA) address.

  • Some network interface cards (NICs) may report "No Media Connected" or "No Link" if they do not detect a standard link-beat from the mirror port.

  • Treat this status as confirmation that the port is isolated from standard services.

DHCP Service Unavailability

Do not attempt to troubleshoot the lack of a standard IP address:

  • Accept the APIPA address as the expected and correct behavior.

  • Do not try to statically assign an IP address to "fix" the connection.

  • Proceed with the capture; the NIC will still accept raw frames without a valid IP.

Tuning Wireshark for Accurate Capture

Wireshark is the industry standard for viewing raw data, but it requires specific tuning for mirror sessions. If the settings are wrong, the software might ignore the very packets you need to see.

The most critical setting is "Promiscuous Mode". This tells your network card to accept every packet it sees, even if they aren't addressed to your MAC. Without this, your NIC will drop most of the mirrored traffic.

Initial Software Configuration

Before starting, ensure you are running a current version of Wireshark. Open the "Capture Options" menu to prepare your interface for the session.

Interface Selection Strategy

Modern laptops have many network interfaces, including virtual ones.

  • Verify you have selected the physical Ethernet adapter connected to the switch.

  • Avoid selecting virtual VPN or software adapters.

Activating Promiscuous Mode

To ensure the NIC accepts the full mirrored stream, follow these steps:

  • Open the Capture Options menu.

  • Uncheck "Enable promiscuous mode on all interfaces".

  • Check "Promiscuous" specifically for your physical capture interface.

Initiating the Trace

Press the "Start" button to begin the capture process. You should see traffic populating the screen immediately if the port mirroring is active in the Dashboard.

Exporting the PCAP File

Once you have captured the relevant event, stop the capture and save the file. Using the standard .pcapng format ensures the data can be shared for further analysis.

Advanced Techniques Using Ring Buffers

Intermittent issues, like choppy VoIP or random drops, often require hours of monitoring. A "Rolling Capture" allows you to record traffic indefinitely without filling up your hard drive.

By using a "Ring Buffer," Wireshark saves data into small chunks. When the total number of files reaches your limit, the system overwrites the oldest file, ensuring you always have the most recent data.

Strategy For Intermittent Faults

This method is the only practical way to catch "ghost" issues that happen randomly. You can leave the capture running for extended periods and simply stop it once the issue is reported.

Circular Logging Concepts

The ring buffer creates a "first-in, first-out" rotation for your log files.

  • It prevents the capture workstation from crashing due to a full disk.

  • It allows for continuous monitoring without manual intervention.

Defining File Segmentation Limits

To set up a ring buffer correctly, apply this logic in the "Output" tab:

  • Check "Create a new file automatically after X MB" (e.g., 50MB).

  • Check "Use a ring buffer with X files" (e.g., 20 files).

Controlling File Retention Counts

The number of files you keep depends on your required history window. If you need two hours of history, ensure your total buffer size (File Size x File Count) can hold that volume of data.

Optimizing Disk Storage

Ensure the capture laptop has a fast SSD to keep up with high-bandwidth traffic. If the drive is too slow, you may experience dropped packets within the trace file itself.

Isolating Data With Filters

Raw captures contain thousands of packets per second, making manual inspection difficult. Wireshark offers two types of filters: Capture Filters and Display Filters.

For most troubleshooting, Display Filters are safer because they are non-destructive. You capture everything first, then use filters to narrow down the view to specific conversations or protocols.

Pre-Capture vs. Post-Capture Filtering

Capture filters discard data before it is saved, which is risky if you filter the wrong traffic. Display filters simply hide data from view while keeping the full context in the original file.

Syntax Variations

Wireshark uses a specific syntax for these filters. You will need to use standard operators to isolate traffic by IP address, protocol, or port number.

Leveraging Display Filters

Use the display filter bar at the top of the window to apply your search criteria. This updates the view in real-time to show only the packets matching your search.

Extracting Specific Conversations

Once you isolate the relevant traffic, you can extract that conversation for easier viewing. This is essential for focusing on a single device's behavior amid network noise.

Archiving Filtered Subsets

To share your findings, you should export only the filtered results:

  • Apply your display filter.

  • Go to File > Export Specified Packets.

  • Select the "Displayed" radio button to save the subset.

Elevate Your Network Diagnostics

Successfully analyzing network traffic requires a methodical workflow: configure Dashboard, check egress mode, connect your laptop, and tune Wireshark. While powerful, remember that port mirroring is a troubleshooting tool, not a permanent monitoring solution.

By mastering these steps, you can turn a flood of raw data into actionable insights, resolving complex issues faster and with greater confidence.

Discover how the Cisco Meraki MS switch portfolio simplifies complex troubleshooting with intuitive, cloud-managed visibility.

FAQs

1. Does port mirroring impact switch performance?

Port mirroring is performed at the hardware level (ASIC), so it generally does not impact the switch's CPU. However, if you mirror multiple high-traffic ports to a single destination port, you may oversubscribe the destination port's bandwidth, leading to dropped packets in your capture. Additionally, the switch does not mirror its own internal management traffic (control plane) to the destination port; you will only see transit traffic.

2. Can I mirror traffic from a wireless Access Point (AP)?

Yes, you can mirror the physical switch port that the Meraki AP is plugged into. This will allow you to see the encapsulated traffic going to and from the AP. Note that you will see wired Ethernet frames (802.3) traversing the switch port, but you will not see 802.11 "over-the-air" wireless management headers or radio information.

3. Will I see traffic from a different VLAN than the one my laptop is on?

Yes, port mirroring captures all frames traversing the source port regardless of VLAN. However, visibility depends on your hardware group: "True Egress" models will strip the native VLAN tag, while "Tagged Egress" models (like the MS390 or MS425) will preserve 802.1Q headers for all traffic, including the native VLAN.

4. Can I configure port mirroring remotely?

Yes, because Meraki is cloud-managed, you can enable and disable mirroring sessions via the Dashboard from any location. However, you must have someone physically present at the site to connect the capture station to the designated destination port. For a fully remote option without a physical probe, use the "Packet Capture" tool under Network-wide > Monitor.

5. What happens if I forget to turn off the mirroring session?

While it won't break the switch, the destination port remains in a "Black Hole" state where it cannot pass normal traffic. This can confuse future onsite techs who might plug a device into that port, expecting a standard connection. It is best practice to disable the session once troubleshooting is complete.

6. Does port mirroring capture "bad" or malformed packets?

While mirroring aims to copy raw frames, most Meraki ASICs perform a Cyclic Redundancy Check (CRC) at the ingress buffer. If a frame has physical-layer corruption (CRC errors or invalid FCS), the switch hardware typically discards it before it can be mirrored. Specialized hardware TAP devices are required to reliably capture and see corrupted Ethernet frames.

7. Can I mirror a port to a different switch in the same network?

No, the source and destination ports must be on the same physical switch or within the same hardware switch stack. Remote SPAN (RSPAN) or Encapsulated Remote SPAN (ERSPAN) is not currently supported on the Meraki MS platform.

« Back to Articles

Related Articles

Deploying Meraki Client VPN for Stable Remote Access

Hardening Meraki Auto VPN For High Scale Performance

A Guide to Customizing Your Meraki Splash Page