Packet Captures
For troubelshooting and analysis Packet captures contain copies of data.
Packet captures contain copies of data sent or received by endpoints, for analysis or troubleshooting purposes. Packet capture sessions are configured, started and stopped in the Endpoint function. During a capture session, or once it has been completed, the packets captured can be downloaded in PCAP format for analysis in a tool such as Wireshark.
What is a Packet Capture?
A Packet Capture records the actual IP packets flowing through the Stacuity gateway for a specific endpoint during a defined window. The result is a .pcap file that can be opened in Wireshark or any other packet analysis tool.
Packet captures are a last-resort diagnostic tool for situations where the Event Viewer and Signalling Traces have not identified the root cause of a connectivity or application-layer problem.
Packet Captures: Two Entry Points
Packet captures can be accessed in two ways:
From an individual endpoint (most common): Go to Inventory → Endpoints, open an endpoint, and select the Packet Capture tab. This starts a capture for that specific endpoint.
From the Packet Captures section (view all sessions): Go to Diagnostics → Packet Captures to see all capture sessions across all endpoints, with their start time, end time, status, and download options.
When to Use Packet Captures
| Symptom | What to look for |
|---|---|
| Device attaches but cannot pass data | DNS failures, routing errors, unexpected packet drops |
| Application connects but performs poorly | TCP retransmissions, high RTT, packet loss |
| Traffic reaching the wrong destination | Inspect packet destinations to verify routing rules |
| VPN tunnel issues | IKE negotiation packets, mismatched proposals |
| TLS handshake failures | Certificate errors, protocol version mismatches |
For routine operational monitoring, use the Event Viewer and the endpoint's Events tab instead.
Starting a Packet Capture
- Go to Inventory → Endpoints.
- Click the view icon for the endpoint you want to capture.
- Select the Packet Capture tab.
- Configure the capture duration.
- Click Start Capture.
The capture runs on the Stacuity gateway in the background. The endpoint does not need to do anything. Capture is passive from the device's perspective.
Contact your tenant for the maximum capture duration available on your account.
Viewing and Downloading Captures
From the Endpoint
While a capture is running, you can view it in real-time from the endpoint's Packet Capture tab.
When the capture completes, its status changes to Finished and a download option becomes available.
From the Packet Captures Section
Navigate to Diagnostics → Packet Captures to see all capture sessions across your account.
| Column | Description |
|---|---|
| Start Time (UTC) | When the capture session started |
| End Time (UTC) | When the capture session ended |
| Status | Current status, e.g. Finished |
From the Actions column:
- View: view the capture in real-time or review completed captures
- PCAP: download the capture file in
.pcapformat
Analysing the Capture
Open the .pcap file in Wireshark (available free at wireshark.org).
Useful Wireshark display filters for common problems:
| Wireshark filter | Shows |
|---|---|
tcp.analysis.retransmission | TCP retransmissions. Indicates packet loss or congestion. |
dns.flags.rcode != 0 | DNS errors |
tcp.flags.reset == 1 | TCP RST (connection resets) |
tls.alert | TLS alert messages (certificate or protocol errors) |
icmp.type == 3 | ICMP Destination Unreachable (routing failures) |
Limitations
- Captures are only available on Active endpoints.
- If the endpoint has no active data session when the capture starts, the file will be empty until a session begins.
- Captures reflect traffic at the Stacuity packet gateway, not at the device. Traffic that never reaches the gateway will not appear.
Alternative Diagnostics
If packet captures do not help identify the issue:
- Signalling Traces (endpoint detail view, Signalling Traces tab): shows control-plane signalling. Useful for attachment and session establishment failures. Requires a feature flag enabled by your tenant.
- Event Viewer: check for unexpected events with error codes.
- Contact your tenant: for issues that require platform-level investigation, your tenant can engage Stacuity support with fuller diagnostic access.
Updated about 2 hours ago