Packet Capture

FortiDDoS can capture packets based on the filters described below. The resulting output is a pcap file.

To configure Packet Capture:

Go to Network > Packet Capture.
Click Create New.

Configure the following settings:

Setting	Description
Name	Enter a name for the pcap file. 1-15 characters (a-Z, 0-9, and special characters -#_*/+\|).
Interface	Select the desired front panel traffic or management port. For example: Drop packets will typically be taken from the even-numbered ports facing the Internet Both Tx and Rx packets can be captured to/from Mgmt ports to troubleshoot management port connectivity issues.
Capture Type	Select either of the following: Rx for capturing Receive packets. Tx for capturing Transmit packets. Drop for capturing drop packets. Note: Dropped packets will only be captured if an SPP is in Prevention Mode. For example, if you are filtering for a Protected IP address, be sure the SPP containing that address is in Prevention Mode.
Filter Type	Select the filter type: Tcpdump Protocol
Filter	The Filter option appears if Tcpdump is selected for Filter Type. To filter packets through specific protocols, such as TCP or UDP, port numbers, etc. See syntax and allowed filters below. Note: By default, the Filter field is empty. This enables all packets to be captured with no filter.
IPv6 Flag	The IPv6 Flag option appears if Protocol is selected for Filter Type. Enable for IPv6, disable for IPv4.
IPv6 Netmask	The IPv6 Netmask option appears if Protocol is selected for Filter Type. Protected/Destination subnet to IPv4 /32 or IPv6 /128 (depending on whether IPv6 Flag is enabled/disabled).
Protocol Flag	The Protocol Flag option appears if Protocol is selected for Filter Type. Enable to select specific L3/L3 Protocols. Disable for all Protocols.
Protocol	The Protocol options appear if Protocol is selected for Filter Type and Protocol Flag is enabled. Select either of the following: ARP TCP UDP ICMP
Max Packets	Enter the maximum number of captured packets. (Range: 1-65535, default: 100).

Click Save.

To configure using the CLI:

config system packet-capture

edit <name_string>

set interface {mgmt1|mgmt2|port1-port16} (model-dependent)

set capture-type {rx|tx|rx tx}

set filter-type {tcp-dump|protocol}

set max-packets {30-9000}

set filter “src host 1.1.1.1” (example only, please see below)

end

Tcpdump Commands and syntax

The following filter commands and syntax are available for the tcpdump packet capture option. Note that when using the CLI, the entire filter must be enclosed in “double quotes” as shown. The quote marks must be removed when using the GUI entry field.

The commands below are not exhaustive. Ensure you understand FortiDDoS and tcpdump well before creating command strings or you may get unexpected results.

Category

Syntax

Description and Example

Operators

Compounding operators can be confusing since there are duplicates and some can only be used for specific rules. Generally:

Modifier texts and/or/not cannot be used for layer4 protocols subtypes such as tcp-flags, icmp-types etc., which can only use single character &/|/!
Double characters &&/|| can only be used interchangeably with texts and/not for src/dst host ip and tcp/udp port
Double equal, ==, can be used for some equivalencies. E.g tcp[tcpflags] == 18 (SYN-ACK).

Ethernet (Layer 2)

ether {src|dst|blank for both} host <MAC address>

Matches a host as the Ethernet source, destination, or either

Example: set filter "ether src host 00:50:56:bf:55:aa"

ether proto <protocol>

Matches an Ethernet protocol

Example: set filter "ether proto 0x0800"

ether broadcast

Matches Ethernet broadcasts

Example: set filter "ether broadcast"

IPv4

ip {src|dst|blank for both} host <ip address>

Matches a host as the IPv4 source, destination, or either

Example: set filter "ip src host 1.1.1.1"

ip {src|dst|blank for both} net <network>/<mask>

Matches packets to or from an endpoint residing in IPv4 network

Example: set filter "ip src net 1.1.1.0/24"

ip proto <protocol>

Matches an IPv4 protocol

Example: set filter "ip proto 17"

set filter "ip proto (17 or 6)"

IPv6

ipv6 {src|dst|blank for both} host <ip address>

Matches a host as the IPv6 source, destination, or either

Example: set filter "ip6 src host 2003:1:1::1:1:1"

ipv6 {src|dst|blank for both} net <network>/<mask>

Matches packets to or from an endpoint residing in IPv6 network

Example: set filter "ip6 src net 2003:1:1::1:1:0/112"

ipv6 proto <protocol>

Matches an IPv6 protocol

Example: set filter "ip6 proto 58"

arp|rarp|icmp|icmp6

Matches ARP or RARP or ICMP protocols

Example: set filter arp

UDP

udp {src|dst|blank for both} port <port>

Matches UDP packets sent to/from port

Example: set filter "udp dst port 53"

set filter "udp dst port (53 or 123)”

udp {src|dst\blank for both} portrange <p1>-<p2>

Matches UDP packets to/from a port in the given range

Example: set filter "udp src portrange 1-65535"

TCP

tcp {src|dst|blank for both} port <port>

Matches TCP packets sent to/from port

Example: set filter "tcp dst port 80"

tcp {src|dst|blank for both} portrange <p1>-<p2>

Matches TCP packets to/from a port in the given range

Example: set filter "tcp src portrange 1-65535"

TCP Flags

tcp[tcpflags] & (tcp-{syn, ack, fin, rst, etc.}) !=0

Note: must use the “&” syntax, not “&&” or “and”

OR tcp[tcpflags] == tcp flag field numbers as below:

FIN	1
SYN	2
RST	4
PSH	8
ACK	16
URG	32
ECE	64
CWR	128

Combined flags are the sum of the individual flag numbers. For example:

SYN-ACK	18
PSH-ACK	24
FIN-PSH-ACK	25

Matches TCP flag packets

Example: set filter “tcp[tcpflags] & (tcp-rst) !=0”

set filter “tcp[tcpflags] == 18”

(for SYN-ACK)

Operation

Once the capture profile has been successfully created, it will appear in the list in the Network > Packet Capture page. From this list of saved capture profiles, you can start or stop capture, download pcap files, clone the capture profile configuration, or edit and delete entries.

Each start or stop capture operation may only be run on one capture profile at a time. However, for each capture profile, you may start or stop capture for any number of times as long as the profile is not deleted.

From the far right column, you may perform the following operations for the selected capture profile.

Icon	Operation	Description
	Start	Start the capture and allow it to complete based on the total packets captured.
	Stop	Stop the capture manually.
	Download	Download the pcap file.
	Clone	Create a duplicate capture profile using the same configurations as the existing one.
	Edit	Edit the capture profile.
	Delete	Delete the capture profile.

Packet Capture

FortiDDoS can capture packets based on the filters described below. The resulting output is a pcap file.

To configure Packet Capture:

Go to Network > Packet Capture.
Click Create New.

Configure the following settings:

Setting	Description
Name	Enter a name for the pcap file. 1-15 characters (a-Z, 0-9, and special characters -#_*/+\|).
Interface	Select the desired front panel traffic or management port. For example: Drop packets will typically be taken from the even-numbered ports facing the Internet Both Tx and Rx packets can be captured to/from Mgmt ports to troubleshoot management port connectivity issues.
Capture Type	Select either of the following: Rx for capturing Receive packets. Tx for capturing Transmit packets. Drop for capturing drop packets. Note: Dropped packets will only be captured if an SPP is in Prevention Mode. For example, if you are filtering for a Protected IP address, be sure the SPP containing that address is in Prevention Mode.
Filter Type	Select the filter type: Tcpdump Protocol
Filter	The Filter option appears if Tcpdump is selected for Filter Type. To filter packets through specific protocols, such as TCP or UDP, port numbers, etc. See syntax and allowed filters below. Note: By default, the Filter field is empty. This enables all packets to be captured with no filter.
IPv6 Flag	The IPv6 Flag option appears if Protocol is selected for Filter Type. Enable for IPv6, disable for IPv4.
IPv6 Netmask	The IPv6 Netmask option appears if Protocol is selected for Filter Type. Protected/Destination subnet to IPv4 /32 or IPv6 /128 (depending on whether IPv6 Flag is enabled/disabled).
Protocol Flag	The Protocol Flag option appears if Protocol is selected for Filter Type. Enable to select specific L3/L3 Protocols. Disable for all Protocols.
Protocol	The Protocol options appear if Protocol is selected for Filter Type and Protocol Flag is enabled. Select either of the following: ARP TCP UDP ICMP
Max Packets	Enter the maximum number of captured packets. (Range: 1-65535, default: 100).

Click Save.

To configure using the CLI:

config system packet-capture

edit <name_string>

set interface {mgmt1|mgmt2|port1-port16} (model-dependent)

set capture-type {rx|tx|rx tx}

set filter-type {tcp-dump|protocol}

set max-packets {30-9000}

set filter “src host 1.1.1.1” (example only, please see below)

end

Tcpdump Commands and syntax

The commands below are not exhaustive. Ensure you understand FortiDDoS and tcpdump well before creating command strings or you may get unexpected results.

Category

Syntax

Description and Example

Operators

Compounding operators can be confusing since there are duplicates and some can only be used for specific rules. Generally:

Modifier texts and/or/not cannot be used for layer4 protocols subtypes such as tcp-flags, icmp-types etc., which can only use single character &/|/!
Double characters &&/|| can only be used interchangeably with texts and/not for src/dst host ip and tcp/udp port
Double equal, ==, can be used for some equivalencies. E.g tcp[tcpflags] == 18 (SYN-ACK).

Ethernet (Layer 2)

ether {src|dst|blank for both} host <MAC address>

Matches a host as the Ethernet source, destination, or either

Example: set filter "ether src host 00:50:56:bf:55:aa"

ether proto <protocol>

Matches an Ethernet protocol

Example: set filter "ether proto 0x0800"

ether broadcast

Matches Ethernet broadcasts

Example: set filter "ether broadcast"

IPv4

ip {src|dst|blank for both} host <ip address>

Matches a host as the IPv4 source, destination, or either

Example: set filter "ip src host 1.1.1.1"

ip {src|dst|blank for both} net <network>/<mask>

Matches packets to or from an endpoint residing in IPv4 network

Example: set filter "ip src net 1.1.1.0/24"

ip proto <protocol>

Matches an IPv4 protocol

Example: set filter "ip proto 17"

set filter "ip proto (17 or 6)"

IPv6

ipv6 {src|dst|blank for both} host <ip address>

Matches a host as the IPv6 source, destination, or either

Example: set filter "ip6 src host 2003:1:1::1:1:1"

ipv6 {src|dst|blank for both} net <network>/<mask>

Matches packets to or from an endpoint residing in IPv6 network

Example: set filter "ip6 src net 2003:1:1::1:1:0/112"

ipv6 proto <protocol>

Matches an IPv6 protocol

Example: set filter "ip6 proto 58"

arp|rarp|icmp|icmp6

Matches ARP or RARP or ICMP protocols

Example: set filter arp

UDP

udp {src|dst|blank for both} port <port>

Matches UDP packets sent to/from port

Example: set filter "udp dst port 53"

set filter "udp dst port (53 or 123)”

udp {src|dst\blank for both} portrange <p1>-<p2>

Matches UDP packets to/from a port in the given range

Example: set filter "udp src portrange 1-65535"

TCP

tcp {src|dst|blank for both} port <port>

Matches TCP packets sent to/from port

Example: set filter "tcp dst port 80"

tcp {src|dst|blank for both} portrange <p1>-<p2>

Matches TCP packets to/from a port in the given range

Example: set filter "tcp src portrange 1-65535"

TCP Flags

tcp[tcpflags] & (tcp-{syn, ack, fin, rst, etc.}) !=0

Note: must use the “&” syntax, not “&&” or “and”

OR tcp[tcpflags] == tcp flag field numbers as below:

FIN	1
SYN	2
RST	4
PSH	8
ACK	16
URG	32
ECE	64
CWR	128

Combined flags are the sum of the individual flag numbers. For example:

SYN-ACK	18
PSH-ACK	24
FIN-PSH-ACK	25

Matches TCP flag packets

Example: set filter “tcp[tcpflags] & (tcp-rst) !=0”

set filter “tcp[tcpflags] == 18”

(for SYN-ACK)

Operation

From the far right column, you may perform the following operations for the selected capture profile.

Icon	Operation	Description
	Start	Start the capture and allow it to complete based on the total packets captured.
	Stop	Stop the capture manually.
	Download	Download the pcap file.
	Clone	Create a duplicate capture profile using the same configurations as the existing one.
	Edit	Edit the capture profile.
	Delete	Delete the capture profile.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

Handbook

Packet Capture

Packet Capture

To configure Packet Capture:

Tcpdump Commands and syntax

Operation

Packet Capture

Packet Capture

To configure Packet Capture:

Tcpdump Commands and syntax

Operation