Fortinet black logo

FortiGate-6000 Handbook

Packet sniffing for FPC and management board packets

Packet sniffing for FPC and management board packets

From the management board CLI, you can access a VDOM and use the diagnose sniffer packet command to view or sniff packets processed by the FPCs for this VDOM. To use this command, log into the management board and edit a VDOM. The command output will include packets processed by all of the FPCs in the selected VDOM.

You can also use the diagnose sniffer packet command from an individual FPC to view packets processed by that FPC.

From the management board the command syntax is:

diagnose sniffer packet <interface> <protocol-filter> <verbose> <count> <timestamp> <frame-size> <slot>

Where:

<interface> the name of one or more interfaces on which to sniff for packets. Use any to sniff packets for all interfaces.

<protocol-filter> a filter to select the protocol for which to view traffic. This can be simple, such as entering udp to view UDP traffic or complex to specify a protocol, port, and source and destination interface and so on.

<verbose> the amount of detail in the output, and can be:

  1. display packet headers only.
  2. display packet headers and IP data.
  3. display packet headers and Ethernet data (if available).
  4. display packet headers and interface names.
  5. display packet headers, IP data, and interface names.
  6. display packet headers, Ethernet data (if available), and interface names.

<count> the number of packets to view. You can enter Ctrl-C to stop the sniffer before the count is reached.

<timestamp> the timestamp format, a for UTC time and l for local time.

<frame-size> the frame size that is printed before truncation. Defaults to the interface MTU.

<slot> the FPC(s) for which to view packets.

  • To view packets for one FPC enter the slot number of the FPC.
  • To view packets for more than one FPC, enter the slot numbers separated by commas. You can also include a range. For example, to view packets for the FPCs in slots 1, 2, 3, and 6 you can enter 1,2,3,6 or 1-3,6.
  • To view packets for all FPCs, enter all.
  • If you leave out the <slot> option, you can use the diagnose sniffer options slot command to set whether management board packets appear or whether management board and FPC packets appear.

Using the diagnose sniffer options slot command

You can use the diagnose sniffer options slot command to control what the diagnose sniffer packet command displays if you don't include the <slot> option. The default diagnose sniffer options slot setting causes the diagnose sniffer packet command to display packets processed by all FPCs and by the management board.

You can use the following command to only display packets processed by the management board:

diagnose sniffer options slot current

Then the next time you enter the diagnose sniffer packet command and leave out the <slot> option, only packets from the management board appear in the command output.

Filtering out internal management traffic

The FortiGate-6000 includes internal interfaces that process internal management and synchronization communication between FortiGate-6000 components. Because this traffic uses internal interfaces, if you specify one or more interface names in the diagnose sniffer packet command this traffic is filtered out. However, if you sniff traffic on any interface, internal management traffic can appear in the diagnose sniffer packet command output.

The diagnose sniffer options filter-out-internal-pkts option if enabled (the default), filters out this internal management traffic. You can disable this option if you want to see the internal management traffic in the diagnose sniffer packet output.

Packet sniffing for FPC and management board packets

From the management board CLI, you can access a VDOM and use the diagnose sniffer packet command to view or sniff packets processed by the FPCs for this VDOM. To use this command, log into the management board and edit a VDOM. The command output will include packets processed by all of the FPCs in the selected VDOM.

You can also use the diagnose sniffer packet command from an individual FPC to view packets processed by that FPC.

From the management board the command syntax is:

diagnose sniffer packet <interface> <protocol-filter> <verbose> <count> <timestamp> <frame-size> <slot>

Where:

<interface> the name of one or more interfaces on which to sniff for packets. Use any to sniff packets for all interfaces.

<protocol-filter> a filter to select the protocol for which to view traffic. This can be simple, such as entering udp to view UDP traffic or complex to specify a protocol, port, and source and destination interface and so on.

<verbose> the amount of detail in the output, and can be:

  1. display packet headers only.
  2. display packet headers and IP data.
  3. display packet headers and Ethernet data (if available).
  4. display packet headers and interface names.
  5. display packet headers, IP data, and interface names.
  6. display packet headers, Ethernet data (if available), and interface names.

<count> the number of packets to view. You can enter Ctrl-C to stop the sniffer before the count is reached.

<timestamp> the timestamp format, a for UTC time and l for local time.

<frame-size> the frame size that is printed before truncation. Defaults to the interface MTU.

<slot> the FPC(s) for which to view packets.

  • To view packets for one FPC enter the slot number of the FPC.
  • To view packets for more than one FPC, enter the slot numbers separated by commas. You can also include a range. For example, to view packets for the FPCs in slots 1, 2, 3, and 6 you can enter 1,2,3,6 or 1-3,6.
  • To view packets for all FPCs, enter all.
  • If you leave out the <slot> option, you can use the diagnose sniffer options slot command to set whether management board packets appear or whether management board and FPC packets appear.

Using the diagnose sniffer options slot command

You can use the diagnose sniffer options slot command to control what the diagnose sniffer packet command displays if you don't include the <slot> option. The default diagnose sniffer options slot setting causes the diagnose sniffer packet command to display packets processed by all FPCs and by the management board.

You can use the following command to only display packets processed by the management board:

diagnose sniffer options slot current

Then the next time you enter the diagnose sniffer packet command and leave out the <slot> option, only packets from the management board appear in the command output.

Filtering out internal management traffic

The FortiGate-6000 includes internal interfaces that process internal management and synchronization communication between FortiGate-6000 components. Because this traffic uses internal interfaces, if you specify one or more interface names in the diagnose sniffer packet command this traffic is filtered out. However, if you sniff traffic on any interface, internal management traffic can appear in the diagnose sniffer packet command output.

The diagnose sniffer options filter-out-internal-pkts option if enabled (the default), filters out this internal management traffic. You can disable this option if you want to see the internal management traffic in the diagnose sniffer packet output.