Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiWiFi and FortiAP Configuration Guide

    Home FortiAP / FortiWiFi 6.4.3 FortiWiFi and FortiAP Configuration Guide
    6.4.3
    7.6.0
    7.4.5
    7.4.4
    7.4.2
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.1
    7.2.0
    7.0.4
    7.0.2
    7.0.1
    7.0.0
    6.4.6
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.2
    6.2.0
    6.0.5
    6.0.4
    6.0.3
    5.6.4
    5.4.3

    Packet sniffer

    Packet sniffer

    Capturing the traffic between the controller and the FortiAP can help you identify most FortiAP and client connection issues.

    CAPWAP packet sniffer

    The first recommended technique consists of sniffing the CAPWAP traffic.

    • Enable plain control on the controller and on the FortiAP to capture clear control traffic on UDP port 5246.
      • On the controller:

      diagnose wireless-controller wlac plain-ctl <FortiAP_serial_number> 1

      Result:

      WTP 0-FortiAP2223X11000107 Plain Control: enabled

      • On the FortiAP:

      cw_diag plain-ctl 1

      Result:

      Current Plain Control: enabled

    Note that some issues are related to the keep-alive for control and data channel.

    Data traffic on UDP port 5247 is not encrypted. The data itself is encrypted by the wireless security mechanism.

    Data traffic is helpful to troubleshoot most of the issues related to station association, EAP authentication, WPA key exchange, roaming, and FortiAP configuration.

    You can also set up a host or server to which you can forward the CAPWAP traffic:

    1. Configure the host or server to which CAPWAP traffic is forwarded:

      diagnose wireless-controller wlac sniff-cfg <Host_IP_address> 88888

      Result:

      Current Sniff Server: 192.168.25.41, 23352

    2. Choose which traffic to capture, the interface to which the FortiAP is connected, and the FortiAP serial number:

      diagnose wireless-controller wlac sniff <interface_name> <FortiAP_serial_number> 2

      Result:

      WTP 0-FortiAP2223X11000107 Sniff: intf port2 enabled (control and data message)

      In the above syntax, the '2' captures the control and data message. The '1' would capture only the control message and '0' would disable it.

    3. Run Wireshark on the host or server to capture CAPWAP traffic from the controller.
    4. Decode the traffic as IP to check inner CAPWAP traffic.
    Example CAPWAP packet capture

    The following image shows an example of a CAPWAP packet capture, where you can see the following details:

    • Layer 2 header
    • sniffed traffic encapsulated into Internet Protocol for transport
    • CAPWAP encapsulated into UDP for sniffer purpose and encapsulated into IP
    • CAPWAP control traffic on UDP port 5246
    • CAPWAP payload

    Wireless traffic packet sniffer

    The second recommended technique consists of sniffing the wireless traffic directly on the air using your FortiAP.

    Wireless traffic packet capture

    Packet captures are useful for troubleshooting all wireless client related issues because you can verify data rate and 802.11 parameters, such as radio capabilities, and determine issues with wireless signal strength, interference, or congestion on the network.

    A radio can only capture one frequency at a time; one of the radios is set to sniffer mode depending on the traffic or channel required. You must use two FortiAPs to capture both frequencies at the same time.

    • Set a radio on the FortiAP to monitor mode.

      iwconfig wlan10

      Result:

      wlan10 IEEE 802.11na ESSID:""

      Mode:Monitor Frequency:5.18 GHz Access Point: Not-Associated

    • The capture file is stored under the temp directory as wl_sniff.pcap

      /tmp/wl_sniff.cap

      Note

      The capture file is only stored temporarily. If you want to save it, upload it to a TFTP server before rebooting or changing the radio settings.

    • The command cp wl_sniff.cap newname.pcap allows you to rename the file.
    • To send the pcap file to a remote TFTP server, use the following commands depending on your AP model:

      • For FAP-U:

        tftp -l /tmp/wl_sniff.cap -r wl_sniff_remote.cap -p 192.168.50.100

      • For Standard FAP W1:

        ftftp -l /tmp/wl_sniff.cap -r wl_sniff_remote.cap -p 192.168.50.100

      • For Standard FAP W2:

        ftftp 192.168.50.100 -m binary -c put /tmp/wl_sniff.cap wl_sniff_remote.cap

      Where 192.168.50.100 is the IP address of the tftp server.

    Syntax

    The following syntax demonstrates how to set the radio to sniffer mode (configurable from the CLI only). Sniffer mode provides options to filter for specific traffic to capture. Notice that you can determine the buffer size, which channel to sniff, the AP MAC address, and select if you want to sniff the beacons, probes, controls, and data channels.

    configure wireless-controller wtp-profile

    edit <profile_name>

    configure <radio>

    set mode sniffer

    set ap-sniffer-bufsize 32

    set ap-sniffer-chan 1

    set ap-sniffer-addr 00:00:00:00:00:00

    set ap-sniffer-mgmt-beacon enable

    set ap-sniffer-mgmt-probe enable

    set ap-sniffer-mgmt-other enable

    set ap-sniffer-ctl enable

    set ap-sniffer-data enable

    end

    end

    Once you have performed the previous CLI configuration, you can see the packet sniffer mode selected in the GUI dashboard under WiFi and Switch Controller > FortiAP Profiles and WiFi and Switch Controller > Managed FortiAPs. Bear in mind that if you change the mode from the GUI, you need to return to the CLI to re-enable the sniffer mode.

    To disable the sniffer profile in the CLI, use the following commands:

    config wireless-controller wtp-profile

    edit <profile_name>

    config <radio>

    set ap-sniffer-mgmt-beacon disable

    set ap-sniffer-mgmt-probe disable

    set ap-sniffer-mgmt-other disable

    set ap-sniffer-ctl disable

    set ap-sniffer-data disable

    end

    end

    Caution

    If you change the radio mode before sending the file wl_sniff.cap to an external TFTP, the file is deleted and you lose your packet capture.
    Example AP packet capture

    The following image shows an example of the AP packet capture with the following details:

    • capture header showing channel 36
    • beacon frame
    • source, destination, and BSSID of the beacon frame
    • SSID of the beacon frame

    Previous
    Next

    Packet sniffer

    Packet sniffer

    Capturing the traffic between the controller and the FortiAP can help you identify most FortiAP and client connection issues.

    CAPWAP packet sniffer

    The first recommended technique consists of sniffing the CAPWAP traffic.

    • Enable plain control on the controller and on the FortiAP to capture clear control traffic on UDP port 5246.
      • On the controller:

      diagnose wireless-controller wlac plain-ctl <FortiAP_serial_number> 1

      Result:

      WTP 0-FortiAP2223X11000107 Plain Control: enabled

      • On the FortiAP:

      cw_diag plain-ctl 1

      Result:

      Current Plain Control: enabled

    Note that some issues are related to the keep-alive for control and data channel.

    Data traffic on UDP port 5247 is not encrypted. The data itself is encrypted by the wireless security mechanism.

    Data traffic is helpful to troubleshoot most of the issues related to station association, EAP authentication, WPA key exchange, roaming, and FortiAP configuration.

    You can also set up a host or server to which you can forward the CAPWAP traffic:

    1. Configure the host or server to which CAPWAP traffic is forwarded:

      diagnose wireless-controller wlac sniff-cfg <Host_IP_address> 88888

      Result:

      Current Sniff Server: 192.168.25.41, 23352

    2. Choose which traffic to capture, the interface to which the FortiAP is connected, and the FortiAP serial number:

      diagnose wireless-controller wlac sniff <interface_name> <FortiAP_serial_number> 2

      Result:

      WTP 0-FortiAP2223X11000107 Sniff: intf port2 enabled (control and data message)

      In the above syntax, the '2' captures the control and data message. The '1' would capture only the control message and '0' would disable it.

    3. Run Wireshark on the host or server to capture CAPWAP traffic from the controller.
    4. Decode the traffic as IP to check inner CAPWAP traffic.
    Example CAPWAP packet capture

    The following image shows an example of a CAPWAP packet capture, where you can see the following details:

    • Layer 2 header
    • sniffed traffic encapsulated into Internet Protocol for transport
    • CAPWAP encapsulated into UDP for sniffer purpose and encapsulated into IP
    • CAPWAP control traffic on UDP port 5246
    • CAPWAP payload

    Wireless traffic packet sniffer

    The second recommended technique consists of sniffing the wireless traffic directly on the air using your FortiAP.

    Wireless traffic packet capture

    Packet captures are useful for troubleshooting all wireless client related issues because you can verify data rate and 802.11 parameters, such as radio capabilities, and determine issues with wireless signal strength, interference, or congestion on the network.

    A radio can only capture one frequency at a time; one of the radios is set to sniffer mode depending on the traffic or channel required. You must use two FortiAPs to capture both frequencies at the same time.

    • Set a radio on the FortiAP to monitor mode.

      iwconfig wlan10

      Result:

      wlan10 IEEE 802.11na ESSID:""

      Mode:Monitor Frequency:5.18 GHz Access Point: Not-Associated

    • The capture file is stored under the temp directory as wl_sniff.pcap

      /tmp/wl_sniff.cap

      Note

      The capture file is only stored temporarily. If you want to save it, upload it to a TFTP server before rebooting or changing the radio settings.

    • The command cp wl_sniff.cap newname.pcap allows you to rename the file.
    • To send the pcap file to a remote TFTP server, use the following commands depending on your AP model:

      • For FAP-U:

        tftp -l /tmp/wl_sniff.cap -r wl_sniff_remote.cap -p 192.168.50.100

      • For Standard FAP W1:

        ftftp -l /tmp/wl_sniff.cap -r wl_sniff_remote.cap -p 192.168.50.100

      • For Standard FAP W2:

        ftftp 192.168.50.100 -m binary -c put /tmp/wl_sniff.cap wl_sniff_remote.cap

      Where 192.168.50.100 is the IP address of the tftp server.

    Syntax

    The following syntax demonstrates how to set the radio to sniffer mode (configurable from the CLI only). Sniffer mode provides options to filter for specific traffic to capture. Notice that you can determine the buffer size, which channel to sniff, the AP MAC address, and select if you want to sniff the beacons, probes, controls, and data channels.

    configure wireless-controller wtp-profile

    edit <profile_name>

    configure <radio>

    set mode sniffer

    set ap-sniffer-bufsize 32

    set ap-sniffer-chan 1

    set ap-sniffer-addr 00:00:00:00:00:00

    set ap-sniffer-mgmt-beacon enable

    set ap-sniffer-mgmt-probe enable

    set ap-sniffer-mgmt-other enable

    set ap-sniffer-ctl enable

    set ap-sniffer-data enable

    end

    end

    Once you have performed the previous CLI configuration, you can see the packet sniffer mode selected in the GUI dashboard under WiFi and Switch Controller > FortiAP Profiles and WiFi and Switch Controller > Managed FortiAPs. Bear in mind that if you change the mode from the GUI, you need to return to the CLI to re-enable the sniffer mode.

    To disable the sniffer profile in the CLI, use the following commands:

    config wireless-controller wtp-profile

    edit <profile_name>

    config <radio>

    set ap-sniffer-mgmt-beacon disable

    set ap-sniffer-mgmt-probe disable

    set ap-sniffer-mgmt-other disable

    set ap-sniffer-ctl disable

    set ap-sniffer-data disable

    end

    end

    Caution

    If you change the radio mode before sending the file wl_sniff.cap to an external TFTP, the file is deleted and you lose your packet capture.
    Example AP packet capture

    The following image shows an example of the AP packet capture with the following details:

    • capture header showing channel 36
    • beacon frame
    • source, destination, and BSSID of the beacon frame
    • SSID of the beacon frame

    Previous
    Next