Fortinet black logo

Cookbook

Performing a sniffer trace (CLI and packet capture)

Copy Link
Copy Doc ID 9bd2f947-ece6-11ec-bb32-fa163e15d75b:680228
Download PDF

Performing a sniffer trace (CLI and packet capture)

When you troubleshoot networks and routing in particular, it helps to look inside the headers of packets to determine if they are traveling the route that you expect them to take. Packet sniffing is also known as network tap, packet capture, or logic analyzing.

caution icon

For FortiGates with NP2, NP4, or NP6 interfaces that are offloading traffic, disable offloading on these interfaces before you perform a trace or it will change the sniffer trace.

Sniffing packets

To perform a sniffer trace in the CLI:

Before you start sniffing packets, you should prepare to capture the output to a file. A large amount of data may scroll by and you will not be able to see it without saving it first. One method is to use a terminal program like puTTY to connect to the FortiGate CLI. Once the packet sniffing count is reached, you can end the session and analyze the output in the file.

The general form of the internal FortiOS packet sniffer command is:

diagnose sniffer packet <interface_name> <‘filter’> <verbose> <count> <tsformat>

To stop the sniffer, type CTRL+C.

<interface_name>

The name of the interface to sniff, such as port1 or internal. This can also be any to sniff all interfaces.

<‘filter’>

What to look for in the information the sniffer reads. none indicates no filtering, and all packets are displayed as the other arguments indicate.

The filter must be inside single quotes (‘).

<verbose>

The level of verbosity as one of:

1 - print header of packets
2 - print header and data from IP of packets
3 - print header and data from Ethernet of packets
4 - print header of packets with interface name

<count>

The number of packets the sniffer reads before stopping. If you don't put a number here, the sniffer will run until you stop it with <CTRL+C>.

<tsformat>

The timestamp format.
  • a: absolute UTC time, yyyy-mm-dd hh:mm:ss.ms
  • l: absolute LOCAL time, yyyy-mm-dd hh:mm:ss.ms
  • otherwise: relative to the start of sniffing, ss.ms
Simple sniffing example:

diagnose sniffer packet port1 none 1 3.

This displays the next three packets on the port1 interface using no filtering, and verbose level 1. At this verbosity level, you can see the source IP and port, the destination IP and port, action (such as ack), and sequence numbers.

In the output below, port 443 indicates these are HTTPS packets and that 172.20.120.17 is both sending and receiving traffic.

Head_Office_620b # diagnose sniffer packet port1 none 1 3

interfaces=[port1]

filters=[none]

0.545306 172.20.120.17.52989 -> 172.20.120.141.443: psh 3177924955 ack 1854307757

0.545963 172.20.120.141.443 -> 172.20.120.17.52989: psh 1854307757 ack 3177925808

0.562409 172.20.120.17.52988 -> 172.20.120.141.443: psh 4225311614 ack 3314279933

Advanced sniffing example:

The following commands will report packets on any interface that are traveling between a computer with the host name of “PC1” and a computer with the host name of “PC2”. With verbosity 4 and above, the sniffer trace displays the interface names where traffic enters or leaves the FortiGate unit. To stop the sniffer, type CTRL+C.

FGT# diagnose sniffer packet any "host <PC1> or host <PC2>" 4

or

FGT# diagnose sniffer packet any "(host <PC1> or host <PC2>) and icmp" 4

The following CLI command for a sniffer includes the ARP protocol in the filter which may be useful to troubleshoot a failure in the ARP resolution. For example, PC2 may be down and not responding to the FortiGate ARP requests.

FGT# diagnose sniffer packet any "host <PC1> or host <PC2> or arp" 4

Using packet capture

To use packet capture, the FortiGate must have a disk. You can enable the capture-packet in the firewall policy.

To enable packet capture in the CLI:

config firewall policy

edit <id>

set capture-packet enable

end

To configure packet capture filters in the GUI:

Go to Network > Packet Capture.

When you add a packet capture filter, enter the following information and click OK.

Interface

Select the interface to sniff from the drop-down menu.

You must select one interface. You cannot change the interface without deleting the filter and creating a new one, unlike the other fields.

Max Packets to Save

Enter the number of packets to capture before the filter stops.

This number cannot be zero. You can halt the capturing before this number is reached.

Enable Filters

Select this option to specify filter fields.

Host(s)

Enter the IP address of one or more hosts.

Separate multiple hosts with commas. To enter a range, use a dash without spaces. For example, 172.16.1.5-172.16.1.15, or enter a subnet.

Port(s)

Enter one or more ports to capture on the selected interface.

Separate multiple ports with commas. To enter a range, use a dash without spaces, for example 88-90.

VLAN(s)

Enter one or more VLANs (if any). Separate multiple VLANs with commas.

Protocol

Enter one or more protocols. Separate multiple protocols with commas. To enter a range, use a dash without spaces. For example, 1-6, 17, 21-25.

Include IPv6 Packets

Select this option if you are troubleshooting IPv6 networking, or if your network uses IPv6. Otherwise, leave it disabled.

Include Non-IP Packets

The protocols in the list are all IP based except for ICMP (ping).

Use this feature to capture non-IP based packets. Examples of non-IP packets include IPsec, IGMP, ARP, and ICMP.

Managing filters

If you select a filter, you have the option to start and stop packet capture in the edit window, or download the captured packets. You can also see the filter status and the number of packets captured.

You can select the filter and start capturing packets. When the filter is running, the number of captured packets increases until it reaches the Max Packet Count or you stop it. You cannot download the output file while the filter is running.

Packet capture controls

To start, stop, or resume packet capture, use the symbols on the screen. These symbols are the same as those used for audio or video playback. Hover over the symbol to reveal explanatory text. Similarly, to download the *.pcap file, use the download symbol on the screen.

Downloading the file

You can download the *.pcap file when the packet capture is complete. You must use a third party application, such as Wireshark, to read *,pcap files. This tool provides you with extensive analytics and the full contents of the packets that were captured.

Performing a sniffer trace (CLI and packet capture)

When you troubleshoot networks and routing in particular, it helps to look inside the headers of packets to determine if they are traveling the route that you expect them to take. Packet sniffing is also known as network tap, packet capture, or logic analyzing.

caution icon

For FortiGates with NP2, NP4, or NP6 interfaces that are offloading traffic, disable offloading on these interfaces before you perform a trace or it will change the sniffer trace.

Sniffing packets

To perform a sniffer trace in the CLI:

Before you start sniffing packets, you should prepare to capture the output to a file. A large amount of data may scroll by and you will not be able to see it without saving it first. One method is to use a terminal program like puTTY to connect to the FortiGate CLI. Once the packet sniffing count is reached, you can end the session and analyze the output in the file.

The general form of the internal FortiOS packet sniffer command is:

diagnose sniffer packet <interface_name> <‘filter’> <verbose> <count> <tsformat>

To stop the sniffer, type CTRL+C.

<interface_name>

The name of the interface to sniff, such as port1 or internal. This can also be any to sniff all interfaces.

<‘filter’>

What to look for in the information the sniffer reads. none indicates no filtering, and all packets are displayed as the other arguments indicate.

The filter must be inside single quotes (‘).

<verbose>

The level of verbosity as one of:

1 - print header of packets
2 - print header and data from IP of packets
3 - print header and data from Ethernet of packets
4 - print header of packets with interface name

<count>

The number of packets the sniffer reads before stopping. If you don't put a number here, the sniffer will run until you stop it with <CTRL+C>.

<tsformat>

The timestamp format.
  • a: absolute UTC time, yyyy-mm-dd hh:mm:ss.ms
  • l: absolute LOCAL time, yyyy-mm-dd hh:mm:ss.ms
  • otherwise: relative to the start of sniffing, ss.ms
Simple sniffing example:

diagnose sniffer packet port1 none 1 3.

This displays the next three packets on the port1 interface using no filtering, and verbose level 1. At this verbosity level, you can see the source IP and port, the destination IP and port, action (such as ack), and sequence numbers.

In the output below, port 443 indicates these are HTTPS packets and that 172.20.120.17 is both sending and receiving traffic.

Head_Office_620b # diagnose sniffer packet port1 none 1 3

interfaces=[port1]

filters=[none]

0.545306 172.20.120.17.52989 -> 172.20.120.141.443: psh 3177924955 ack 1854307757

0.545963 172.20.120.141.443 -> 172.20.120.17.52989: psh 1854307757 ack 3177925808

0.562409 172.20.120.17.52988 -> 172.20.120.141.443: psh 4225311614 ack 3314279933

Advanced sniffing example:

The following commands will report packets on any interface that are traveling between a computer with the host name of “PC1” and a computer with the host name of “PC2”. With verbosity 4 and above, the sniffer trace displays the interface names where traffic enters or leaves the FortiGate unit. To stop the sniffer, type CTRL+C.

FGT# diagnose sniffer packet any "host <PC1> or host <PC2>" 4

or

FGT# diagnose sniffer packet any "(host <PC1> or host <PC2>) and icmp" 4

The following CLI command for a sniffer includes the ARP protocol in the filter which may be useful to troubleshoot a failure in the ARP resolution. For example, PC2 may be down and not responding to the FortiGate ARP requests.

FGT# diagnose sniffer packet any "host <PC1> or host <PC2> or arp" 4

Using packet capture

To use packet capture, the FortiGate must have a disk. You can enable the capture-packet in the firewall policy.

To enable packet capture in the CLI:

config firewall policy

edit <id>

set capture-packet enable

end

To configure packet capture filters in the GUI:

Go to Network > Packet Capture.

When you add a packet capture filter, enter the following information and click OK.

Interface

Select the interface to sniff from the drop-down menu.

You must select one interface. You cannot change the interface without deleting the filter and creating a new one, unlike the other fields.

Max Packets to Save

Enter the number of packets to capture before the filter stops.

This number cannot be zero. You can halt the capturing before this number is reached.

Enable Filters

Select this option to specify filter fields.

Host(s)

Enter the IP address of one or more hosts.

Separate multiple hosts with commas. To enter a range, use a dash without spaces. For example, 172.16.1.5-172.16.1.15, or enter a subnet.

Port(s)

Enter one or more ports to capture on the selected interface.

Separate multiple ports with commas. To enter a range, use a dash without spaces, for example 88-90.

VLAN(s)

Enter one or more VLANs (if any). Separate multiple VLANs with commas.

Protocol

Enter one or more protocols. Separate multiple protocols with commas. To enter a range, use a dash without spaces. For example, 1-6, 17, 21-25.

Include IPv6 Packets

Select this option if you are troubleshooting IPv6 networking, or if your network uses IPv6. Otherwise, leave it disabled.

Include Non-IP Packets

The protocols in the list are all IP based except for ICMP (ping).

Use this feature to capture non-IP based packets. Examples of non-IP packets include IPsec, IGMP, ARP, and ICMP.

Managing filters

If you select a filter, you have the option to start and stop packet capture in the edit window, or download the captured packets. You can also see the filter status and the number of packets captured.

You can select the filter and start capturing packets. When the filter is running, the number of captured packets increases until it reaches the Max Packet Count or you stop it. You cannot download the output file while the filter is running.

Packet capture controls

To start, stop, or resume packet capture, use the symbols on the screen. These symbols are the same as those used for audio or video playback. Hover over the symbol to reveal explanatory text. Similarly, to download the *.pcap file, use the download symbol on the screen.

Downloading the file

You can download the *.pcap file when the packet capture is complete. You must use a third party application, such as Wireshark, to read *,pcap files. This tool provides you with extensive analytics and the full contents of the packets that were captured.