NP7 hyperscale firewall packet sniffer
You can use the following command as a hyperscale firewall packet sniffer. This packet sniffer displays information about packets offloaded by NP7 processors. You can also use this command to mirror sniffed packets to a FortiGate interface.
diagnose npu sniffer {start | stop | filter}
Use start
and stop
to start or stop displaying packets on the CLI. Before the sniffer will start you need to use the filter
to specify the packets to display. Use the command diagnose sniffer packet npudbg
to display sniffed packets on the CLI.
Use filter
to create a definition of the types of packets to display. Filter options include:
selector
you can create up to four filters (numbered 0 to 3). Use this command to create a new filter or select the stored filter to be used when you start the packet sniffer. You can also use this command to have multiple filters active at one time. See below for an example of sniffing using multiple active filters.
intf <interface-name>
the name of an interface to display packets passing through that interface.
dir {0 | 1 | 2}
the direction of the packets passing through the interface. 0
displays ingress packets, 1
displays egress packets, and 2
displays both ingress and egress packets.
ethtype <type>
the ethertype of the packets to sniff if you want to see non-IP packets.
protocol <number>
the IP protocol number of the packets to sniff in the range 0 to 255. The packet sniffer can only sniff protocols that can be offloaded by the NP7 processors.
srcip <ipv4-ip-address>/<ipv4-mask>
an IPv4 IP address and netmask that matches the source address of the packets to be sniffed.
dstip <ipv4-ip-address>/<ipv4-mask>
an IPv4 IP address and netmask that matches the destination address of the packets to be sniffed.
ip <ipv4-ip-address>/<ipv4-mask>
an IPv4 IP address and netmask that matches a source or destination address in the packets to be sniffed.
srcip6 <ipv6-ip-address>/<ipv6-mask>
an IPv6 IP address and netmask that matches the source address of the packets to be sniffed.
dstip6 <ipv6-ip-address>/<ipv6-mask>
an IPv6 IP address and netmask that matches the destination address of the packets to be sniffed.
ip6 <ipv6-ip-address>/<ipv6-mask>
an IPv6 IP address and netmask that can match source or destination addresses in the packets to be sniffed.
sport <port-number>
layer 4 source port of the packets to be sniffed.
dport <port-number>
layer 4 destination port of the packets to be sniffed.
port <port-number>
layer 4 source or destination port of the packets to be sniffed.
outgoing_intf <interface>
the name of the interface out of which to send mirrored traffic matched by the filter.
outgoing_vlan <vlan-id>
the VLAN ID added to mirrored traffic matched by the filter and sent out the mirror interface.
clear
clear all filters.
Packet sniffer examples
First, a basic example to sniff offloaded TCP packets received by the port23 interface. In the following example:
-
The first line clears the filter.
-
The second line sets the sniffer to look for packets on port23.
-
The third line looks for packets exiting the interface.
-
The fourth line looks for TCP packets.
-
The fifth line starts the sniffer.
-
The sixth line starts displaying the packets on the CLI.
diagnose npu sniffer filter
diagnose npu sniffer filter intf port23
diagnose npu sniffer filter dir 2
diagnose npu sniffer filter protocol 6
diagnose npu sniffer start
diagnose sniffer packet npudbg
Second, an example that uses the following two filters:
-
The first filter, selector 0, looks for incoming and outgoing TCP packets on port1.
-
The second filter, selector 1, looks for outgoing UDP packets on port2.
-
The final line starts displaying packets for both filters on the CLI.
diagnose npu sniffer filter selector 0
diagnose npu sniffer filter intf port1
diagnose npu sniffer filter protocol 6
diagnose npu sniffer filter dir 2
diagnose npu sniffer start
diagnose npu sniffer filter selector 1
diagnose npu sniffer filter intf port2
diagnose npu sniffer filter protocol 17
diagnose npu sniffer filter dir 1
diagnose npu sniffer start
diagnose sniffer packet npudbg