Intelligent Capture Hardening

Cisco Intelligent Capture (iCAP) feature and enhancements

The Cisco Intelligent Capture (iCAP) feature is a troubleshooting tool for wireless clients and APs that provides aggregated data and enhanced analysis capabilities.

  • The feature aggregates data from wireless controllers and APs to make troubleshooting easier,

  • the feature includes enhancements such as anomaly detection and RF statistics,

  • the feature facilitates the identification of onboarding and transmission issues for wireless clients.

Feature history for Cisco Intelligent Capture hardening

This table provides release and related information about the feature explained in this section.

This feature is also available in all the releases subsequent to the one in which they are introduced in, unless noted otherwise.

Table 1. Feature history

Release

Feature

Feature information

Cisco IOS XE Dublin 17.12.1

Cisco Intelligent Capture (iCAP) Hardening

The following enhancements are made to the iCAP feature:

  • Anomaly Detection

  • RF Statistics

Additional information

Use the Cisco Intelligent Capture (iCAP) feature in the Cisco DNA Center GUI to identify the cause of onboarding or AP transmission issues by gathering and displaying data from wireless controllers and APs.

For example, you can use the iCAP feature’s anomaly detection and RF statistics to quickly identify and resolve wireless client onboarding issues.


Note

In Cisco IOS XE 17.15.2, iCAP virtual interface processor (VIP) packet capture is supported only for 802.11ax clients. iCAP VIP or full packet capture is not supported for 802.11be clients.

Anomaly detection

An anomaly is a network event type that

  • allows Cisco APs to detect possible irregularities in the behavior or lifecycle of wireless clients and APs

  • informs the network administrator of issues, enabling identification of what happened and how to avoid recurrence, and

  • supports aggregation and suppression of repeated anomaly notifications to prevent overwhelming Cisco DNA Center with duplicate events from the same client or event type.

How anomaly detection works

Anomaly detection is crucial in identifying network problems and understanding their root causes. Whenever Cisco APs detect an anomaly, they send individual anomaly events to Cisco Catalyst Center. To avoid flooding Cisco Catalyst Center with repeated events of the same type or from the same client within a short time frame, system enhancements automatically collapse and aggregate repeats into a single event.

Anomaly detection configuration enhancements are available on the controller, which now provisions and displays the iCAP (Intelligent Capture) status, providing better visibility into anomaly detection and troubleshooting.

Example of anomaly detection

If a wireless client repeatedly triggers the same anomaly, the AP aggregates these into a single event before sending it to Cisco Catalyst Center, allowing administrators to act on consolidated insights without being overwhelmed by redundant notifications.

RF statistics

A set of RF statistics is a data collection feature that

  • gathers real-time and historical information about the radio frequency environment,

  • measures the performance and health indicators of wireless network access points, and

  • supports monitoring and troubleshooting by providing details such as signal quality, noise levels, and channel usage.

Additional information

In Cisco IOS XE 17.12.1 and later, per-AP RF statistics are delivered directly from the wireless controller through iCAP subscription. In earlier versions (up to Cisco IOS XE 17.11.1), only basic statistical information was available.

Configure anomaly detection in AP profile (CLI)

Enable individual anomaly detection and detailed reporting for clients in an AP profile.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# onfigure terminal

Step 2

Configure an AP profile and enter AP profile configuration mode.

Example:

Device(config)# ap profile ap-profile

Step 3

Enable individual reports for client anomaly-detection subscription.

Example:

Device(config-ap-profile)# icap subscription client anomaly-detection report-individual enable

Step 4

Enable individual reports aggregation for client anomaly-detection subscription.

Example:

Device(config-ap-profile)# icap subscription client anomaly-detection report-individual enable aggregate

This command is disabled by default.

Step 5

Configure event reports per client, every five minutes.

Example:

Device(config-ap-profile)# icap subscription client anomaly-detection report-individual per-client throttle number-of-event-reports

The value of an event report ranges from 0 to 50 reports. The default value is five reports.

Step 6

Configure event reports per type, every five minutes.

Example:

Device(config-ap-profile)# icap subscription client anomaly-detection report-individual per-type throttle number-of-event-reports

The value of an event report ranges from 0 to 100 reports. The default value is five reports.

Anomaly detection is activated for the AP profile, and the system generates individual and aggregated anomaly reports.

Configure anomaly detection in an AP (CLI)

Enable and configure anomaly detection features on a specific access point using CLI commands.

Procedure

Step 1

Enter privileged EXEC mode.

Example:

Device> enable

Step 2

Enable individual reports for client anomaly-detection subscription for a single AP.

Example:

Device# ap name ap-name icap subscription client anomaly-detection report-individual enable

Step 3

Enable individual reports aggregation for client anomaly-detection subscription, for a single AP.

Example:

Device# ap name ap-name icap subscription client anomaly-detection report-individual enable

Step 4

Configure event reports per client, every five minutes, for a single AP.

Example:

Device# ap name ap-name icap subscription client anomaly-detection report-individual per-client throttle number-of-event-reports

The value of an event report ranges from 0 to 50 reports.

Step 5

Configure event reports per type, every five minutes, for a single AP.

Example:

Device# ap name ap-name icap subscription client anomaly-detection report-individual per-type throttle number-of-event-reports

The value of an event report ranges from 0 to 100 reports.

Anomaly detection is enabled on the targeted AP, and report generation is configured according to your specified parameters.

Verify anomaly detection and RF statistics

To verify the current status of the anomaly-detection subscription of an AP, use this command:

Device# show ap name cisco-AP icap subscription client anomaly-detection chassis active R0
Per-AP ICap configuration

Anomaly detection subscription
  State                    : enabled
  Client filter            : 006b.f107.a520
  Client filter            : 006b.f107.a521
  DHCP timeout (seconds)   : 5
  Trigger AP packet trace  : enabled
  Report Individual        : enabled
  Report Individual aggregate : enabled
  Report Individual throttled events (per 5 minute) : 5
  Report Individual per type throttled events (per 5 minute) : 14
  Report Individual per client throttled events (per 5 minute) : 15
  Report Summary           : disabled
  Report Summary frequency (minutes) : 5

To verify RF statistics, use this command:


Note

The controller show command is enhanced to display data from the txTotalDrops counter. 

Device# show wireless client mac-address 00XX.ecXX.7aXX detail
.
.
.
Client Statistics:
  Number of Bytes Received from Client : 62861
  Number of Bytes Sent to Client : 6754
  Number of Packets Received from Client : 455
  Number of Packets Sent to Client : 65
  Number of Data Retries : 0
  Number of RTS Retries : 0
  Number of Tx Total Dropped Packets: x
  Number of Duplicate Received Packets : 0
  Number of Decrypt Failed Packets : 0
  Number of Mic Failured Packets : 0
  Number of Mic Missing Packets : 0
  Number of Policy Errors : 0
  Radio Signal Strength Indicator : -21 dBm
  Signal to Noise Ratio : 73 dB
.
.
.