Skip to content

Remote captures

Remote captures allow administrators to collect packet captures (PCAPs) and WARP diagnostic logs directly from end user devices. This data can be used to troubleshoot network problems, investigate security incidents, and identify performance bottlenecks.

Start a remote capture

To capture data from a remote device:

  1. In Zero Trust, go to DEX > Remote captures.
  2. Select up to 10 devices that you want to run a capture on. Devices must be registered in your Zero Trust organization.
  3. Configure the types of captures to run.
    • PCAP: Performs packet captures for traffic outside of the WARP tunnel (default network interface) and traffic inside of the WARP tunnel (WARP virtual interface).
    • WARP Diagnostics Logs: Generates a WARP diagnostic log of the past 96 hours. To include a routing test for all IPs and domains in your Split Tunnel configuration, select Test all routes.
  4. Select Start a capture.

DEX will now send capture requests to the configured devices. If the WARP client is disconnected, the capture will time out after 10 minutes.

Check remote capture status

To view a list of captures, go to DEX > Remote captures. The Status column displays one of the following options:

  • Success: The capture is complete and ready for download. Any partially successful captures will still upload to Cloudflare. For example, there could be a scenario where the PCAP succeeds on the primary network interface but fails on the WARP tunnel interface. You can review PCAP results to determine which PCAPs succeeded or failed.
  • Running: The capture is in progress on the device.
  • Pending Upload: The capture is complete but not yet ready for download.
  • Failed: The capture has either timed out or encountered an error. To retry the capture, check the WARP client version and connectivity status, then start a new capture.

Download remote captures

  1. In Zero Trust, go to DEX > Remote captures.
  2. Find a successful capture.
  3. Select the three-dot menu and select Download.

This will download a ZIP file to your local machine called <capture-id>.zip. DEX will store capture data according to our log retention policy.

Device PCAP contents

The downloaded PCAP folder contains three files:

  • capture-default.pcap: Packet captures for the primary network interface.
  • capture-tunnel.pcap: Packet captures for traffic inside of the WARP tunnel.
  • results.json: Reports successful and failed packet captures.

You can analyze .pcap files using Wireshark or another third-party packet capture tool.

WARP Diag contents

Refer to WARP diagnostic logs for a description of each file.

Limitations

  • Packet captures are subject to the following limits:
    • Maximum time limit: 600 seconds
    • Maximum file size: 50 MB
    • Maximum packet size: 1500 bytes
  • WARP diagnostic logs have no file size limit, but files larger than 100 MB cannot be uploaded to Cloudflare and must be shared directly with the admin.
  • Windows devices do not support concurrent remote captures. If you start a remote capture while another is in progress, the second capture will fail immediately.