Packet sniffing for FPC and management board packets
From the management board CLI, you can access a VDOM and use the
diagnose sniffer packet command to view or sniff packets processed by the FPCs for this VDOM. To use this command, log into the management board and edit a VDOM. The command output will include packets processed by all of the FPCs in the selected VDOM.
You can also use the
diagnose sniffer packet command from an individual FPC to view packets processed by that FPC.
From the management board the command syntax is:
diagnose sniffer packet <interface> <protocol-filter> <verbose> <count> <timestamp> <frame-size> <slot>
<interface> the name of one or more interfaces on which to sniff for packets. Use
any to sniff packets for all interfaces.
<protocol-filter> a filter to select the protocol for which to view traffic. This can be simple, such as entering
udp to view UDP traffic or complex to specify a protocol, port, and source and destination interface and so on.
<verbose> the amount of detail in the output, and can be:
- display packet headers only.
- display packet headers and IP data.
- display packet headers and Ethernet data (if available).
- display packet headers and interface names.
- display packet headers, IP data, and interface names.
- display packet headers, Ethernet data (if available), and interface names.
<count> the number of packets to view. You can enter Ctrl-C to stop the sniffer before the count is reached.
<timestamp> the timestamp format,
a for UTC time and
l for local time.
<frame-size> the frame size that is printed before truncation. Defaults to the interface MTU.
<slot> the FPC(s) for which to view packets.
- To view packets for one FPC enter the slot number of the FPC.
- To view packets for more than one FPC, enter the slot numbers separated by commas. You can also include a range. For example, to view packets for the FPCs in slots 1, 2, 3, and 6 you can enter
- To view packets for all FPCs, enter
- If you leave out the
<slot>option, you can use the
diagnose sniffer options slotcommand to set whether management board packets appear or whether management board and FPC packets appear.
Using the diagnose sniffer options slot command
You can use the
diagnose sniffer options slot command to control what the
diagnose sniffer packet command displays if you don't include the
<slot> option. The default
diagnose sniffer options slot setting causes the
diagnose sniffer packet command to display packets processed by all FPCs and by the management board.
You can use the following command to only display packets processed by the management board:
diagnose sniffer options slot current
Then the next time you enter the
diagnose sniffer packet command and leave out the
<slot> option, only packets from the management board appear in the command output.
Filtering out internal management traffic
The FortiGate-6000 includes internal interfaces that process internal management and synchronization communication between FortiGate-6000 components. Because this traffic uses internal interfaces, if you specify one or more interface names in the
diagnose sniffer packet command this traffic is filtered out. However, if you sniff traffic on
any interface, internal management traffic can appear in the
diagnose sniffer packet command output.
diagnose sniffer options filter-out-internal-pkts option if enabled (the default), filters out this internal management traffic. You can disable this option if you want to see the internal management traffic in the
diagnose sniffer packet output.