Fortinet white logo
Fortinet white logo

Hardware Acceleration

NP7 packet sniffer

NP7 packet sniffer

You can use the following command as a packet sniffer for traffic offloaded to NP7 processors. You can also use this command to mirror sniffed packets to a FortiGate interface.

diagnose npu sniffer {start | stop | filter}

Use start and stop to start or stop displaying packets on the CLI. Before the sniffer will start you need to use the filter to specify the packets to display. Use the command diagnose sniffer packet npudbg to display sniffed packets on the CLI.

Use filter to create a definition of the types of packets to display. Filter options include:

selector you can create up to four filters (numbered 0 to 3). Use this command to create a new filter or select the stored filter to be used when you start the packet sniffer. You can also use this command to have multiple filters active at one time. See below for an example of sniffing using multiple active filters.

intf <interface-name> the name of an interface to display packets passing through that interface. You can monitor traffic on any interface except IPv4 or IPv6 IPsec VPN tunnel interfaces.

dir {0 | 1 | 2} the direction of the packets passing through the interface. 0 displays ingress packets, 1 displays egress packets, and 2 displays both ingress and egress packets.

ethtype <type> the ethertype of the packets to sniff if you want to see non-IP packets.

protocol <number> the IP protocol number of the packets to sniff in the range 0 to 255. The packet sniffer can only sniff protocols that can be offloaded by the NP7 processors.

srcip <ipv4-ip-address>/<ipv4-mask> an IPv4 IP address and netmask that matches the source address of the packets to be sniffed.

dstip <ipv4-ip-address>/<ipv4-mask> an IPv4 IP address and netmask that matches the destination address of the packets to be sniffed.

ip <ipv4-ip-address>/<ipv4-mask> an IPv4 IP address and netmask that matches a source or destination address in the packets to be sniffed.

srcip6 <ipv6-ip-address>/<ipv6-mask> an IPv6 IP address and netmask that matches the source address of the packets to be sniffed.

dstip6 <ipv6-ip-address>/<ipv6-mask> an IPv6 IP address and netmask that matches the destination address of the packets to be sniffed.

ip6 <ipv6-ip-address>/<ipv6-mask> an IPv6 IP address and netmask that can match source or destination addresses in the packets to be sniffed.

sport <port-number> layer 4 source port of the packets to be sniffed.

dport <port-number> layer 4 destination port of the packets to be sniffed.

port <port-number> layer 4 source or destination port of the packets to be sniffed.

outgoing_intf <interface> the name of the interface out of which to send mirrored traffic matched by the filter.

outgoing_vlan <vlan-id> the VLAN ID added to mirrored traffic matched by the filter and sent out the mirror interface.

clear clear all filters.

Packet sniffer examples

See this Fortinet Community article for an NP7 packet sniffer example: Troubleshooting Tip: Collecting NP7 packet capture without disabling offload.

Here is a basic example to sniff offloaded TCP packets received by the port23 interface. In the following example:

  • The first line clears the filter.

  • The second line sets the sniffer to look for packets on port23.

  • The third line looks for packets exiting the interface.

  • The fourth line looks for TCP packets.

  • The fifth line starts the sniffer.

  • The sixth line starts displaying the packets on the CLI.

diagnose npu sniffer filter

diagnose npu sniffer filter intf port23

diagnose npu sniffer filter dir 2

diagnose npu sniffer filter protocol 6

diagnose npu sniffer start

diagnose sniffer packet npudbg

An example that uses the following two filters:

  • The first filter, selector 0, looks for incoming and outgoing TCP packets on port1.

  • The second filter, selector 1, looks for outgoing UDP packets on port2.

  • The final line starts displaying packets for both filters on the CLI.

diagnose npu sniffer filter selector 0

diagnose npu sniffer filter intf port1

diagnose npu sniffer filter protocol 6

diagnose npu sniffer filter dir 2

diagnose npu sniffer start

diagnose npu sniffer filter selector 1

diagnose npu sniffer filter intf port2

diagnose npu sniffer filter protocol 17

diagnose npu sniffer filter dir 1

diagnose npu sniffer start

diagnose sniffer packet npudbg

NP7 packet sniffer

NP7 packet sniffer

You can use the following command as a packet sniffer for traffic offloaded to NP7 processors. You can also use this command to mirror sniffed packets to a FortiGate interface.

diagnose npu sniffer {start | stop | filter}

Use start and stop to start or stop displaying packets on the CLI. Before the sniffer will start you need to use the filter to specify the packets to display. Use the command diagnose sniffer packet npudbg to display sniffed packets on the CLI.

Use filter to create a definition of the types of packets to display. Filter options include:

selector you can create up to four filters (numbered 0 to 3). Use this command to create a new filter or select the stored filter to be used when you start the packet sniffer. You can also use this command to have multiple filters active at one time. See below for an example of sniffing using multiple active filters.

intf <interface-name> the name of an interface to display packets passing through that interface. You can monitor traffic on any interface except IPv4 or IPv6 IPsec VPN tunnel interfaces.

dir {0 | 1 | 2} the direction of the packets passing through the interface. 0 displays ingress packets, 1 displays egress packets, and 2 displays both ingress and egress packets.

ethtype <type> the ethertype of the packets to sniff if you want to see non-IP packets.

protocol <number> the IP protocol number of the packets to sniff in the range 0 to 255. The packet sniffer can only sniff protocols that can be offloaded by the NP7 processors.

srcip <ipv4-ip-address>/<ipv4-mask> an IPv4 IP address and netmask that matches the source address of the packets to be sniffed.

dstip <ipv4-ip-address>/<ipv4-mask> an IPv4 IP address and netmask that matches the destination address of the packets to be sniffed.

ip <ipv4-ip-address>/<ipv4-mask> an IPv4 IP address and netmask that matches a source or destination address in the packets to be sniffed.

srcip6 <ipv6-ip-address>/<ipv6-mask> an IPv6 IP address and netmask that matches the source address of the packets to be sniffed.

dstip6 <ipv6-ip-address>/<ipv6-mask> an IPv6 IP address and netmask that matches the destination address of the packets to be sniffed.

ip6 <ipv6-ip-address>/<ipv6-mask> an IPv6 IP address and netmask that can match source or destination addresses in the packets to be sniffed.

sport <port-number> layer 4 source port of the packets to be sniffed.

dport <port-number> layer 4 destination port of the packets to be sniffed.

port <port-number> layer 4 source or destination port of the packets to be sniffed.

outgoing_intf <interface> the name of the interface out of which to send mirrored traffic matched by the filter.

outgoing_vlan <vlan-id> the VLAN ID added to mirrored traffic matched by the filter and sent out the mirror interface.

clear clear all filters.

Packet sniffer examples

See this Fortinet Community article for an NP7 packet sniffer example: Troubleshooting Tip: Collecting NP7 packet capture without disabling offload.

Here is a basic example to sniff offloaded TCP packets received by the port23 interface. In the following example:

  • The first line clears the filter.

  • The second line sets the sniffer to look for packets on port23.

  • The third line looks for packets exiting the interface.

  • The fourth line looks for TCP packets.

  • The fifth line starts the sniffer.

  • The sixth line starts displaying the packets on the CLI.

diagnose npu sniffer filter

diagnose npu sniffer filter intf port23

diagnose npu sniffer filter dir 2

diagnose npu sniffer filter protocol 6

diagnose npu sniffer start

diagnose sniffer packet npudbg

An example that uses the following two filters:

  • The first filter, selector 0, looks for incoming and outgoing TCP packets on port1.

  • The second filter, selector 1, looks for outgoing UDP packets on port2.

  • The final line starts displaying packets for both filters on the CLI.

diagnose npu sniffer filter selector 0

diagnose npu sniffer filter intf port1

diagnose npu sniffer filter protocol 6

diagnose npu sniffer filter dir 2

diagnose npu sniffer start

diagnose npu sniffer filter selector 1

diagnose npu sniffer filter intf port2

diagnose npu sniffer filter protocol 17

diagnose npu sniffer filter dir 1

diagnose npu sniffer start

diagnose sniffer packet npudbg