Fortinet white logo
Fortinet white logo

FortiGate-7000F Handbook

Packet sniffing for FIM and FPM packets

Packet sniffing for FIM and FPM packets

From a VDOM, you can use the diagnose sniffer packet command to view or sniff packets as they are processed by FIM or FPMs for that VDOM. To use this command you have to be logged into a VDOM. You can run this command from any FIM or FPM CLI.

The command output includes the address of the slot containing the module that processed the packet. From the primary FIM, you can see packets processed by all of the FIMs and FPMs. From individual FIMs or FPMs you can see packets processed by that FIM or FPM.

From the primary FIM, you can enter the diagnose sniffer options slot currrent command to only see packets processed by the primary FIM. You can also enter the diagnose sniffer options slot default command to see packets processed by all modules.

The command syntax is:

diagnose sniffer packet <interface> <protocol-filter> <verbose> <count> <timestamp> <slot>

Where:

<interface> is the name of one or more interfaces on which to sniff for packets. Use any to sniff packets for all interfaces. To view management traffic use the elbc-base-ctrl interface name.

<protocol-filter> a filter to select the protocol for which to view traffic. This can be simple, such as entering udp to view UDP traffic or complex to specify a protocol, port, and source and destination interface and so on.

<verbose> the amount of detail in the output, and can be:

  1. display packet headers only.
  2. display packet headers and IP data.
  3. display packet headers and Ethernet data (if available).
  4. display packet headers and interface names.
  5. display packet headers, IP data, and interface names.
  6. display packet headers, Ethernet data (if available), and interface names.

<count> the number of packets to view. You can enter Ctrl-C to stop the sniffer before the count is reached.

<timestamp> the timestamp format, a for UTC time and l for local time.

Sample diagnose sniffer packet output from the primary FIM
[FPM04] 1.598890 3ffe:1:1:4::97b.13344 -> 3ffe:1:2:4::105.25: syn 151843506 
[FPM03] 1.214394 802.1Q vlan#4022 P0 3ffe:1:1:2::214.10012 -> 3ffe:1:2:2::103.53: udp 30
[FIM02] 2.177930 llc unnumbered, 23, flags [poll], length 40
[FIM01] 1.583778 172.30.248.99.57167 -> 10.160.19.70.443: ack 2403720303 
[FPM04] 1.598891 17.3.8.3.14471 -> 18.3.1.107.143: syn 2715027438 ^C
[FPM03] 1.214395 3ffe:1:1:2::214.10012 -> 3ffe:1:2:2::103.53: udp 30
[FIM01] 1.583779 172.30.248.99.57167 -> 10.160.19.70.443: ack 2403720303 

Packet sniffing for FIM and FPM packets

Packet sniffing for FIM and FPM packets

From a VDOM, you can use the diagnose sniffer packet command to view or sniff packets as they are processed by FIM or FPMs for that VDOM. To use this command you have to be logged into a VDOM. You can run this command from any FIM or FPM CLI.

The command output includes the address of the slot containing the module that processed the packet. From the primary FIM, you can see packets processed by all of the FIMs and FPMs. From individual FIMs or FPMs you can see packets processed by that FIM or FPM.

From the primary FIM, you can enter the diagnose sniffer options slot currrent command to only see packets processed by the primary FIM. You can also enter the diagnose sniffer options slot default command to see packets processed by all modules.

The command syntax is:

diagnose sniffer packet <interface> <protocol-filter> <verbose> <count> <timestamp> <slot>

Where:

<interface> is the name of one or more interfaces on which to sniff for packets. Use any to sniff packets for all interfaces. To view management traffic use the elbc-base-ctrl interface name.

<protocol-filter> a filter to select the protocol for which to view traffic. This can be simple, such as entering udp to view UDP traffic or complex to specify a protocol, port, and source and destination interface and so on.

<verbose> the amount of detail in the output, and can be:

  1. display packet headers only.
  2. display packet headers and IP data.
  3. display packet headers and Ethernet data (if available).
  4. display packet headers and interface names.
  5. display packet headers, IP data, and interface names.
  6. display packet headers, Ethernet data (if available), and interface names.

<count> the number of packets to view. You can enter Ctrl-C to stop the sniffer before the count is reached.

<timestamp> the timestamp format, a for UTC time and l for local time.

Sample diagnose sniffer packet output from the primary FIM
[FPM04] 1.598890 3ffe:1:1:4::97b.13344 -> 3ffe:1:2:4::105.25: syn 151843506 
[FPM03] 1.214394 802.1Q vlan#4022 P0 3ffe:1:1:2::214.10012 -> 3ffe:1:2:2::103.53: udp 30
[FIM02] 2.177930 llc unnumbered, 23, flags [poll], length 40
[FIM01] 1.583778 172.30.248.99.57167 -> 10.160.19.70.443: ack 2403720303 
[FPM04] 1.598891 17.3.8.3.14471 -> 18.3.1.107.143: syn 2715027438 ^C
[FPM03] 1.214395 3ffe:1:1:2::214.10012 -> 3ffe:1:2:2::103.53: udp 30
[FIM01] 1.583779 172.30.248.99.57167 -> 10.160.19.70.443: ack 2403720303