Fortinet white logo
Fortinet white logo

Handbook

Packet Capture

Packet Capture

FortiDDoS can capture packets based on the filters described below. The resulting output is a pcap file.

To configure Packet Capture:
  1. Go to Network > Packet Capture.
  2. Click Create New.
  3. Configure the following settings:
    SettingDescription
    NameEnter a name for the pcap file. 1-15 characters (a-Z, 0-9, and special characters -#_*/+|).
    Interface

    Select the desired front panel traffic or management port. For example:

    • Drop packets will typically be taken from the even-numbered ports facing the Internet

    • Both Tx and Rx packets can be captured to/from Mgmt ports to troubleshoot management port connectivity issues.

    Capture Type

    Select either of the following:

    • Rx for capturing Receive packets.

    • Tx for capturing Transmit packets.

    • Drop for capturing drop packets.

    Note: Dropped packets will only be captured if an SPP is in Prevention Mode. For example, if you are filtering for a Protected IP address, be sure the SPP containing that address is in Prevention Mode.

    Filter Type

    Select the filter type:

    • Tcpdump

    • Protocol

    Filter

    The Filter option appears if Tcpdump is selected for Filter Type.

    To filter packets through specific protocols, such as TCP or UDP, port numbers, etc. See syntax and allowed filters below.

    Note: By default, the Filter field is empty. This enables all packets to be captured with no filter.

    IPv6 Flag

    The IPv6 Flag option appears if Protocol is selected for Filter Type.

    Enable for IPv6, disable for IPv4.

    IPv6 Netmask

    The IPv6 Netmask option appears if Protocol is selected for Filter Type.

    Protected/Destination subnet to IPv4 /32 or IPv6 /128 (depending on whether IPv6 Flag is enabled/disabled).

    Protocol Flag

    The Protocol Flag option appears if Protocol is selected for Filter Type.

    Enable to select specific L3/L3 Protocols. Disable for all Protocols.

    Protocol

    The Protocol options appear if Protocol is selected for Filter Type and Protocol Flag is enabled.

    Select either of the following:

    • ARP

    • TCP

    • UDP

    • ICMP

    Max Packets

    Enter the maximum number of captured packets. (Range: 1-65535, default: 100).


  4. Click Save.
Tooltip

To configure using the CLI:

config system packet-capture

edit <name_string>

set interface {mgmt1|mgmt2|port1-port16} (model-dependent)

set capture-type {rx|tx|rx tx}

set filter-type {tcp-dump|protocol}

set max-packets {30-9000}

set filter “src host 1.1.1.1” (example only, please see below)

next

end

Tcpdump Commands and syntax

The following filter commands and syntax are available for the tcpdump packet capture option. Note that when using the CLI, the entire filter must be enclosed in “double quotes” as shown. The quote marks must be removed when using the GUI entry field.

The commands below are not exhaustive. Ensure you understand FortiDDoS and tcpdump well before creating command strings or you may get unexpected results.

Category

Syntax

Description and Example

Operators

Compounding operators can be confusing since there are duplicates and some can only be used for specific rules. Generally:

  • Modifier texts and/or/not cannot be used for layer4 protocols subtypes such as tcp-flags, icmp-types etc., which can only use single character &/|/!

  • Double characters &&/|| can only be used interchangeably with texts and/not for src/dst host ip and tcp/udp port

  • Double equal, ==, can be used for some equivalencies. E.g tcp[tcpflags] == 18 (SYN-ACK).

Ethernet (Layer 2)

ether {src|dst|blank for both} host <MAC address>

Matches a host as the Ethernet source, destination, or either

Example: set filter "ether src host 00:50:56:bf:55:aa"

ether proto <protocol>

Matches an Ethernet protocol

Example: set filter "ether proto 0x0800"

ether broadcast

Matches Ethernet broadcasts

Example: set filter "ether broadcast"

IPv4

ip {src|dst|blank for both} host <ip address>

Matches a host as the IPv4 source, destination, or either

Example: set filter "ip src host 1.1.1.1"

ip {src|dst|blank for both} net <network>/<mask>

Matches packets to or from an endpoint residing in IPv4 network

Example: set filter "ip src net 1.1.1.0/24"

ip proto <protocol>

Matches an IPv4 protocol

Example: set filter "ip proto 17"

set filter "ip proto (17 or 6)"

IPv6

ipv6 {src|dst|blank for both} host <ip address>

Matches a host as the IPv6 source, destination, or either

Example: set filter "ip6 src host 2003:1:1::1:1:1"

ipv6 {src|dst|blank for both} net <network>/<mask>

Matches packets to or from an endpoint residing in IPv6 network

Example: set filter "ip6 src net 2003:1:1::1:1:0/112"

ipv6 proto <protocol>

Matches an IPv6 protocol

Example: set filter "ip6 proto 58"

arp|rarp|icmp|icmp6

Matches ARP or RARP or ICMP protocols

Example: set filter arp

UDP

udp {src|dst|blank for both} port <port>

Matches UDP packets sent to/from port

Example: set filter "udp dst port 53"

set filter "udp dst port (53 or 123)”

udp {src|dst\blank for both} portrange <p1>-<p2>

Matches UDP packets to/from a port in the given range

Example: set filter "udp src portrange 1-65535"

TCP

tcp {src|dst|blank for both} port <port>

Matches TCP packets sent to/from port

Example: set filter "tcp dst port 80"

tcp {src|dst|blank for both} portrange <p1>-<p2>

Matches TCP packets to/from a port in the given range

Example: set filter "tcp src portrange 1-65535"

TCP Flags

tcp[tcpflags] & (tcp-{syn, ack, fin, rst, etc.}) !=0

Note: must use the “&” syntax, not “&&” or “and”

OR tcp[tcpflags] == tcp flag field numbers as below:

FIN 1
SYN 2
RST 4
PSH 8
ACK 16
URG 32
ECE 64
CWR 128

Combined flags are the sum of the individual flag numbers. For example:

SYN-ACK 18
PSH-ACK 24
FIN-PSH-ACK 25

Matches TCP flag packets

Example: set filter “tcp[tcpflags] & (tcp-rst) !=0”

set filter “tcp[tcpflags] == 18”

(for SYN-ACK)

Operation

Once the capture profile has been successfully created, it will appear in the list in the Network > Packet Capture page. From this list of saved capture profiles, you can start or stop capture, download pcap files, clone the capture profile configuration, or edit and delete entries.

Each start or stop capture operation may only be run on one capture profile at a time. However, for each capture profile, you may start or stop capture for any number of times as long as the profile is not deleted.

From the far right column, you may perform the following operations for the selected capture profile.

Icon

Operation

Description

Start Start the capture and allow it to complete based on the total packets captured.
Stop Stop the capture manually.
Download Download the pcap file.
Clone Create a duplicate capture profile using the same configurations as the existing one.
Edit Edit the capture profile.
Delete Delete the capture profile.

Packet Capture

Packet Capture

FortiDDoS can capture packets based on the filters described below. The resulting output is a pcap file.

To configure Packet Capture:
  1. Go to Network > Packet Capture.
  2. Click Create New.
  3. Configure the following settings:
    SettingDescription
    NameEnter a name for the pcap file. 1-15 characters (a-Z, 0-9, and special characters -#_*/+|).
    Interface

    Select the desired front panel traffic or management port. For example:

    • Drop packets will typically be taken from the even-numbered ports facing the Internet

    • Both Tx and Rx packets can be captured to/from Mgmt ports to troubleshoot management port connectivity issues.

    Capture Type

    Select either of the following:

    • Rx for capturing Receive packets.

    • Tx for capturing Transmit packets.

    • Drop for capturing drop packets.

    Note: Dropped packets will only be captured if an SPP is in Prevention Mode. For example, if you are filtering for a Protected IP address, be sure the SPP containing that address is in Prevention Mode.

    Filter Type

    Select the filter type:

    • Tcpdump

    • Protocol

    Filter

    The Filter option appears if Tcpdump is selected for Filter Type.

    To filter packets through specific protocols, such as TCP or UDP, port numbers, etc. See syntax and allowed filters below.

    Note: By default, the Filter field is empty. This enables all packets to be captured with no filter.

    IPv6 Flag

    The IPv6 Flag option appears if Protocol is selected for Filter Type.

    Enable for IPv6, disable for IPv4.

    IPv6 Netmask

    The IPv6 Netmask option appears if Protocol is selected for Filter Type.

    Protected/Destination subnet to IPv4 /32 or IPv6 /128 (depending on whether IPv6 Flag is enabled/disabled).

    Protocol Flag

    The Protocol Flag option appears if Protocol is selected for Filter Type.

    Enable to select specific L3/L3 Protocols. Disable for all Protocols.

    Protocol

    The Protocol options appear if Protocol is selected for Filter Type and Protocol Flag is enabled.

    Select either of the following:

    • ARP

    • TCP

    • UDP

    • ICMP

    Max Packets

    Enter the maximum number of captured packets. (Range: 1-65535, default: 100).


  4. Click Save.
Tooltip

To configure using the CLI:

config system packet-capture

edit <name_string>

set interface {mgmt1|mgmt2|port1-port16} (model-dependent)

set capture-type {rx|tx|rx tx}

set filter-type {tcp-dump|protocol}

set max-packets {30-9000}

set filter “src host 1.1.1.1” (example only, please see below)

next

end

Tcpdump Commands and syntax

The following filter commands and syntax are available for the tcpdump packet capture option. Note that when using the CLI, the entire filter must be enclosed in “double quotes” as shown. The quote marks must be removed when using the GUI entry field.

The commands below are not exhaustive. Ensure you understand FortiDDoS and tcpdump well before creating command strings or you may get unexpected results.

Category

Syntax

Description and Example

Operators

Compounding operators can be confusing since there are duplicates and some can only be used for specific rules. Generally:

  • Modifier texts and/or/not cannot be used for layer4 protocols subtypes such as tcp-flags, icmp-types etc., which can only use single character &/|/!

  • Double characters &&/|| can only be used interchangeably with texts and/not for src/dst host ip and tcp/udp port

  • Double equal, ==, can be used for some equivalencies. E.g tcp[tcpflags] == 18 (SYN-ACK).

Ethernet (Layer 2)

ether {src|dst|blank for both} host <MAC address>

Matches a host as the Ethernet source, destination, or either

Example: set filter "ether src host 00:50:56:bf:55:aa"

ether proto <protocol>

Matches an Ethernet protocol

Example: set filter "ether proto 0x0800"

ether broadcast

Matches Ethernet broadcasts

Example: set filter "ether broadcast"

IPv4

ip {src|dst|blank for both} host <ip address>

Matches a host as the IPv4 source, destination, or either

Example: set filter "ip src host 1.1.1.1"

ip {src|dst|blank for both} net <network>/<mask>

Matches packets to or from an endpoint residing in IPv4 network

Example: set filter "ip src net 1.1.1.0/24"

ip proto <protocol>

Matches an IPv4 protocol

Example: set filter "ip proto 17"

set filter "ip proto (17 or 6)"

IPv6

ipv6 {src|dst|blank for both} host <ip address>

Matches a host as the IPv6 source, destination, or either

Example: set filter "ip6 src host 2003:1:1::1:1:1"

ipv6 {src|dst|blank for both} net <network>/<mask>

Matches packets to or from an endpoint residing in IPv6 network

Example: set filter "ip6 src net 2003:1:1::1:1:0/112"

ipv6 proto <protocol>

Matches an IPv6 protocol

Example: set filter "ip6 proto 58"

arp|rarp|icmp|icmp6

Matches ARP or RARP or ICMP protocols

Example: set filter arp

UDP

udp {src|dst|blank for both} port <port>

Matches UDP packets sent to/from port

Example: set filter "udp dst port 53"

set filter "udp dst port (53 or 123)”

udp {src|dst\blank for both} portrange <p1>-<p2>

Matches UDP packets to/from a port in the given range

Example: set filter "udp src portrange 1-65535"

TCP

tcp {src|dst|blank for both} port <port>

Matches TCP packets sent to/from port

Example: set filter "tcp dst port 80"

tcp {src|dst|blank for both} portrange <p1>-<p2>

Matches TCP packets to/from a port in the given range

Example: set filter "tcp src portrange 1-65535"

TCP Flags

tcp[tcpflags] & (tcp-{syn, ack, fin, rst, etc.}) !=0

Note: must use the “&” syntax, not “&&” or “and”

OR tcp[tcpflags] == tcp flag field numbers as below:

FIN 1
SYN 2
RST 4
PSH 8
ACK 16
URG 32
ECE 64
CWR 128

Combined flags are the sum of the individual flag numbers. For example:

SYN-ACK 18
PSH-ACK 24
FIN-PSH-ACK 25

Matches TCP flag packets

Example: set filter “tcp[tcpflags] & (tcp-rst) !=0”

set filter “tcp[tcpflags] == 18”

(for SYN-ACK)

Operation

Once the capture profile has been successfully created, it will appear in the list in the Network > Packet Capture page. From this list of saved capture profiles, you can start or stop capture, download pcap files, clone the capture profile configuration, or edit and delete entries.

Each start or stop capture operation may only be run on one capture profile at a time. However, for each capture profile, you may start or stop capture for any number of times as long as the profile is not deleted.

From the far right column, you may perform the following operations for the selected capture profile.

Icon

Operation

Description

Start Start the capture and allow it to complete based on the total packets captured.
Stop Stop the capture manually.
Download Download the pcap file.
Clone Create a duplicate capture profile using the same configurations as the existing one.
Edit Edit the capture profile.
Delete Delete the capture profile.