Fortinet black logo

Handbook

Packet Capture

Copy Link
Copy Doc ID 369dfb00-033f-11ed-bb32-fa163e15d75b:619977
Download PDF

Packet Capture

FortiDDoS can capture packets based on the filters described below. The resulting output is a pcap file.

To configure Packet Capture:
  1. Go to Network > Packet Capture.
  2. Click Create New.
  3. Configure the following settings:
    SettingDescription
    NameEnter a name for the pcap file. 1-15 characters (a-Z, 0-9, and special characters -#_*/+|).
    Interface

    Select the desired front panel port. For example, drop packets will typically be taken from the even-numbered ports facing the Internet.

    Capture Type

    Select either of the following:

    • Rx for capturing Receive packets.

    • Tx for capturing Transmit packets.

    • Drop for capturing drop packets.

    Note: Dropped packets will only be captured if an SPP is in Prevention Mode. For example, if you are filtering for a Protected IP address, be sure the SPP containing that address is in Prevention Mode.

    Filter Type

    Select the filter type:

    • Tcpdump

    • Protocol

    Filter

    The Filter option appears if Tcpdump is selected for Filter Type.

    To filter packets through specific protocols, such as TCP or UDP, port numbers, etc. Use tcpdump syntax.

    Note: By default, the Filter field is empty. This enables all packets to be captured with no filter.

    IPv6 Flag

    The IPv6 Flag option appears if Protocol is selected for Filter Type.

    Enable for IPv6, disable for IPv4.

    IPv6 Netmask

    The IPv6 Netmask option appears if Protocol is selected for Filter Type.

    Protected/Destination subnet to IPv4 /32 or IPv6 /128 (depending on whether IPv6 Flag is enabled/disabled).

    Protocol Flag

    The Protocol Flag option appears if Protocol is selected for Filter Type.

    Enable to select specific L3/L3 Protocols. Disable for all Protocols.

    Protocol

    The Protocol options appear if Protocol is selected for Filter Type and Protocol Flag is enabled.

    Select either of the following:

    • ARP

    • TCP

    • UDP

    • ICMP

    Max Packets

    Enter the maximum number of captured packets. (Range: 1-65535, default: 100).


  4. Click Save.
Operation

Once the capture profile has been successfully created, it will appear in the list in the Network > Packet Capture page. From this list of saved capture profiles, you can start or stop capture, download pcap files, clone the capture profile configuration, or edit and delete entries.

Each start or stop capture operation may only be run on one capture profile at a time. However, for each capture profile, you may start or stop capture for any number of times as long as the profile is not deleted.

From the far right column, you may perform the following operations for the selected capture profile.

Icon

Operation

Description

Start Start the capture and allow it to complete based on the total packets captured.
Stop Stop the capture manually.
Download Download the pcap file.
Clone Create a duplicate capture profile using the same configurations as the existing one.
Edit Edit the capture profile.
Delete Delete the capture profile.

Packet Capture

FortiDDoS can capture packets based on the filters described below. The resulting output is a pcap file.

To configure Packet Capture:
  1. Go to Network > Packet Capture.
  2. Click Create New.
  3. Configure the following settings:
    SettingDescription
    NameEnter a name for the pcap file. 1-15 characters (a-Z, 0-9, and special characters -#_*/+|).
    Interface

    Select the desired front panel port. For example, drop packets will typically be taken from the even-numbered ports facing the Internet.

    Capture Type

    Select either of the following:

    • Rx for capturing Receive packets.

    • Tx for capturing Transmit packets.

    • Drop for capturing drop packets.

    Note: Dropped packets will only be captured if an SPP is in Prevention Mode. For example, if you are filtering for a Protected IP address, be sure the SPP containing that address is in Prevention Mode.

    Filter Type

    Select the filter type:

    • Tcpdump

    • Protocol

    Filter

    The Filter option appears if Tcpdump is selected for Filter Type.

    To filter packets through specific protocols, such as TCP or UDP, port numbers, etc. Use tcpdump syntax.

    Note: By default, the Filter field is empty. This enables all packets to be captured with no filter.

    IPv6 Flag

    The IPv6 Flag option appears if Protocol is selected for Filter Type.

    Enable for IPv6, disable for IPv4.

    IPv6 Netmask

    The IPv6 Netmask option appears if Protocol is selected for Filter Type.

    Protected/Destination subnet to IPv4 /32 or IPv6 /128 (depending on whether IPv6 Flag is enabled/disabled).

    Protocol Flag

    The Protocol Flag option appears if Protocol is selected for Filter Type.

    Enable to select specific L3/L3 Protocols. Disable for all Protocols.

    Protocol

    The Protocol options appear if Protocol is selected for Filter Type and Protocol Flag is enabled.

    Select either of the following:

    • ARP

    • TCP

    • UDP

    • ICMP

    Max Packets

    Enter the maximum number of captured packets. (Range: 1-65535, default: 100).


  4. Click Save.
Operation

Once the capture profile has been successfully created, it will appear in the list in the Network > Packet Capture page. From this list of saved capture profiles, you can start or stop capture, download pcap files, clone the capture profile configuration, or edit and delete entries.

Each start or stop capture operation may only be run on one capture profile at a time. However, for each capture profile, you may start or stop capture for any number of times as long as the profile is not deleted.

From the far right column, you may perform the following operations for the selected capture profile.

Icon

Operation

Description

Start Start the capture and allow it to complete based on the total packets captured.
Stop Stop the capture manually.
Download Download the pcap file.
Clone Create a duplicate capture profile using the same configurations as the existing one.
Edit Edit the capture profile.
Delete Delete the capture profile.