Remote captures
Feature availability
WARP modes | Zero Trust plans ↗ |
---|---|
| All plans |
System | Availability | Minimum WARP version |
---|---|---|
Windows | ✅ | 2024.12.492.0 |
macOS | ✅ | 2024.12.492.0 |
Linux | ✅ | 2024.12.492.0 |
iOS | ❌ | |
Android | ❌ | |
ChromeOS | ❌ |
Remote captures allow administrators to collect packet captures (PCAPs) and WARP diagnostic logs directly from end user devices. This data can be used to troubleshoot network problems, investigate security incidents, and identify performance bottlenecks.
Devices must be actively connected to the Internet for remote captures to run.
To capture data from a remote device:
- In Zero Trust ↗, go to DEX > Remote captures.
- Select up to 10 devices that you want to run a capture on. Devices must be registered in your Zero Trust organization.
- Configure the types of captures to run.
- Packet captures (PCAP): Performs packet captures for traffic outside of the WARP tunnel (default network interface) and traffic inside of the WARP tunnel (WARP virtual interface).
- WARP Diagnostics Logs: Generates a WARP diagnostic log of the past 96 hours. To include a routing test for all IPs and domains in your Split Tunnel configuration, select Test all routes.
- Select Run diagnostics.
DEX will now send capture requests to the configured devices. If the WARP client is disconnected, the capture will time out after 10 minutes.
To view a list of captures, go to DEX > Remote captures. The Status column displays one of the following options:
- Success: The capture is complete and ready for download. Any partially successful captures will still upload to Cloudflare. For example, there could be a scenario where the PCAP succeeds on the primary network interface but fails on the WARP tunnel interface. You can review PCAP results to determine which PCAPs succeeded or failed.
- Running: The capture is in progress on the device.
- Pending Upload: The capture is complete but not yet ready for download.
- Failed: The capture has either timed out or encountered an error. To retry the capture, check the WARP client version and connectivity status, then start a new capture.
- In Zero Trust ↗, go to DEX > Remote captures.
- Find a successful capture.
- Select the three-dot menu and select Download.
This will download a ZIP file to your local machine called <capture-id>.zip
. DEX will store capture data according to our log retention policy.
The downloaded PCAP folder contains three files:
capture-default.pcap
: Packet captures for the primary network interface.capture-tunnel.pcap
: Packet captures for traffic inside of the WARP tunnel.results.json
: Reports successful and failed packet captures.
You can analyze .pcap
files using Wireshark or another third-party packet capture tool.
Refer to WARP diagnostic logs for a description of each file.
The WARP diagnostics summary highlights what Cloudflare determines to be the most important detection events in a warp-diag
log. You can use the WARP diagnostic summary to help analyze your log files and identify the root cause of client issues. WARP diagnostic summaries are only available for logs collected via the dashboard.
To access your WARP diagnostic summary:
-
In Zero Trust ↗, go to DEX > Remote captures.
-
Locate an existing
warp-diag
log from the list or select Run diagnostics to generate a newwarp-diag
log. -
Select the three dots for the
warp-diag
log that you want to analyze, then select View WARP Diag.The Overview tab will display an AI-generated summary of the results, a list of detection events, and basic device information.
Explanation of the fields
Field Description Detection type A common WARP issue that can appear in the diagnostic logs. Occurences Number of times an issue was detected in the logs. Severity level Indicates the impact of the issue on WARP client functionality. The severity levels are: - Critical: Issue causes complete loss of functionality.
- Warning: Issue causes degraded functionality but core features should still work.
- No detection: Issue was not detected in the logs.
Operating system OS and OS version of the device. WARP version WARP release version Profile ID WARP device profile UUID Service mode WARP mode Configuration name Name of the Zero Trust organization that WARP is connected to. Device ID ID generated by the WARP client. -
Select a detection type for more information about the event and recommended next steps.
Cloudflare will store the warp-diag
log and its summary per our log retention policy. To save a copy onto your local machine, download the log file and go to the JSON file tab to copy the summary in JSON format.
-
Packet captures are subject to the following limits:
Limit Type Maximum Value Time limit 600 seconds File size 50 MB Packet size 1500 bytes -
WARP diagnostic logs have no file size limit, but files larger than 100 MB cannot be uploaded to Cloudflare and must be shared directly with the admin.
-
Windows devices do not support concurrent remote captures. If you start a remote capture while another is in progress, the second capture will fail immediately.
-
PCAPs will fail on Windows if you have another third-party packet capture tool (such as, Packet Monitor
pktmon
) running. -
On Windows, packet captures may fail on devices configured with a non-English language due to limitations with the underlying
PktMon
tool.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-