Meraki Capture Timestamps

When capturing packets on your Cisco Meraki device and uploading them to CloudShark certain packets may be captured with corrupted timestamps. These captures can be spotted by an unusually large duration such as 1342784422.854547. This is caused by corrupted timestamps which typically state that the date a packet was captured was in December of 1969.

These timestamps can make it difficult to fully analyze the capture file in CloudShark. A quick way to see the packets that have corrupted timestamps is to apply the display filter:

frame.time_relative < 0

This will show any packets that have timestamps indicating they were captured before the previous packet.

Once you have identified the packets that have invalid timestamps you can create a new CloudShark capture session by filtering these packets out with the filter:

! frame.time_relative < 0

and clicking Export -> Create New Session. Make sure the Apply current display filter export option is selected and your new capture session will have the correct duration and timestamps.