Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.0.11 Administration Guide
7.0.11
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

Performing a sniffer trace or packet capture

Performing a sniffer trace or packet capture

When you troubleshoot networks and routing in particular, it helps to look inside the headers of packets to determine if they are traveling the route that you expect them to take. Packet sniffing is also known as network tap, packet capture, or logic analyzing.

caution icon

For FortiGates with NP2, NP4, or NP6 interfaces that are offloading traffic, disable offloading on these interfaces before you perform a trace or it will change the sniffer trace.

Sniffing packets

To perform a sniffer trace in the CLI:

Before you start sniffing packets, you should prepare to capture the output to a file. A large amount of data may scroll by and you will not be able to see it without saving it first. One method is to use a terminal program like puTTY to connect to the FortiGate CLI. Once the packet sniffing count is reached, you can end the session and analyze the output in the file.

The general form of the internal FortiOS packet sniffer command is:

# diagnose sniffer packet <interface_name> <‘filter’> <verbose> <count> <tsformat>

To stop the sniffer, type CTRL+C.

<interface_name>

The name of the interface to sniff, such as port1 or internal. This can also be any to sniff all interfaces.

<‘filter’>

What to look for in the information the sniffer reads. none indicates no filtering, and all packets are displayed as the other arguments indicate.

The filter must be inside single quotes (‘).

<verbose>

The level of verbosity as one of:

  • 1 - print header of packets

  • 2 - print header and data from IP of packets

  • 3 - print header and data from Ethernet of packets

  • 4 - print header of packets with interface name

  • 5 - print header and data from IP of packets with interface name

  • 6 - print header and data from Ethernet of packets with interface name

<count>

The number of packets the sniffer reads before stopping. If you don't put a number here, the sniffer will run until you stop it with <CTRL+C>.

<tsformat>

The timestamp format.

  • a: absolute UTC time, yyyy-mm-dd hh:mm:ss.ms
  • l: absolute LOCAL time, yyyy-mm-dd hh:mm:ss.ms
  • otherwise: relative to the start of sniffing, ss.ms
Simple sniffing example:
 # diagnose sniffer packet port1 none 1 3.

This displays the next three packets on the port1 interface using no filtering, and verbose level 1. At this verbosity level, you can see the source IP and port, the destination IP and port, action (such as ack), and sequence numbers.

In the output below, port 443 indicates these are HTTPS packets and that 172.20.120.17 is both sending and receiving traffic.

Head_Office_620b # diagnose sniffer packet port1 none 1 3

interfaces=[port1]

filters=[none]

0.545306 172.20.120.17.52989 -> 172.20.120.141.443: psh 3177924955 ack 1854307757

0.545963 172.20.120.141.443 -> 172.20.120.17.52989: psh 1854307757 ack 3177925808

0.562409 172.20.120.17.52988 -> 172.20.120.141.443: psh 4225311614 ack 3314279933

Advanced sniffing example:

The following commands will report packets on any interface that are traveling between a computer with the host name of “PC1” and a computer with the host name of “PC2”. With verbosity 4 and above, the sniffer trace displays the interface names where traffic enters or leaves the FortiGate unit. To stop the sniffer, type CTRL+C.

FGT# diagnose sniffer packet any "host <PC1> or host <PC2>" 4

or

FGT# diagnose sniffer packet any "(host <PC1> or host <PC2>) and icmp" 4

The following CLI command for a sniffer includes the ARP protocol in the filter which may be useful to troubleshoot a failure in the ARP resolution. For example, PC2 may be down and not responding to the FortiGate ARP requests.

FGT# diagnose sniffer packet any "host <PC1> or host <PC2> or arp" 4

Using packet capture in a firewall policy

FortiGate can capture packets matching a firewall policy. You can enable capture-packet in the firewall policy.

To use packet capture, the FortiGate must have a disk and logging must be enabled in the firewall policy.

To enable packet capture in a policy in the GUI:

  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Enter a name for the policy and configure the required settings.

  3. Enable Log Allowed Traffic and select Security Events or All Sessions.

  4. Enable Capture Packets.

  5. Click OK.

To enable packet capture in a policy in the CLI:
config firewall policy
    edit <id>
        set action accept
        set logtraffic {all | utm}
        set capture-packet enable
    next
end
To view the packet capture:

  1. Go to Log & Report > Forward Traffic and select the log that matches the firewall policy.

  2. Select Details > Archived Data and click on the download button.

  3. Open the downloaded PCAP file in a packet analyzer tool, such as Wireshark.

Packet capture filters

To configure packet capture filters in the GUI:

  1. Go to Network > Packet Capture and click Create New.

  2. Enter the following information:

    Interface

    Select the interface to sniff from the drop-down menu.

    You must select one interface. You cannot change the interface without deleting the filter and creating a new one, unlike the other fields.

    Max Packets to Save

    Enter the number of packets to capture before the filter stops.

    This number cannot be zero. You can halt the capturing before this number is reached.

    Enable Filters

    Select this option to specify filter fields.

    Host(s)

    Enter the IP address of one or more hosts.

    Separate multiple hosts with commas. To enter a range, use a dash without spaces. For example, 172.16.1.5-172.16.1.15, or enter a subnet.

    Port(s)

    Enter one or more ports to capture on the selected interface.

    Separate multiple ports with commas. To enter a range, use a dash without spaces, for example 88-90.

    VLAN(s)

    Enter one or more VLANs (if any). Separate multiple VLANs with commas.

    Protocol

    Enter one or more protocols. Separate multiple protocols with commas. To enter a range, use a dash without spaces. For example, 1-6, 17, 21-25.

    Include IPv6 Packets

    Select this option if you are troubleshooting IPv6 networking, or if your network uses IPv6. Otherwise, leave it disabled.

    Include Non-IP Packets

    The protocols in the list are all IP based except for ICMP (ping).

    Use this feature to capture non-IP based packets. Examples of non-IP packets include IPsec, IGMP, ARP, and ICMP.

  3. Click OK.

Managing filters

If you select a filter, you have the option to start and stop packet capture in the edit window, or download the captured packets. You can also see the filter status and the number of packets captured.

You can select the filter and start capturing packets. When the filter is running, the number of captured packets increases until it reaches the Max Packet Count or you stop it. You cannot download the output file while the filter is running.

Packet capture controls

To start, stop, or resume packet capture, use the symbols on the screen. These symbols are the same as those used for audio or video playback. Hover over the symbol to reveal explanatory text. Similarly, to download the *.pcap file, use the download symbol on the screen.

Downloading the file

You can download the *.pcap file when the packet capture is complete. You must use a third party application, such as Wireshark, to read *,pcap files. This tool provides you with extensive analytics and the full contents of the packets that were captured.

Previous
Next

Performing a sniffer trace or packet capture

When you troubleshoot networks and routing in particular, it helps to look inside the headers of packets to determine if they are traveling the route that you expect them to take. Packet sniffing is also known as network tap, packet capture, or logic analyzing.

caution icon

For FortiGates with NP2, NP4, or NP6 interfaces that are offloading traffic, disable offloading on these interfaces before you perform a trace or it will change the sniffer trace.

Sniffing packets

To perform a sniffer trace in the CLI:

Before you start sniffing packets, you should prepare to capture the output to a file. A large amount of data may scroll by and you will not be able to see it without saving it first. One method is to use a terminal program like puTTY to connect to the FortiGate CLI. Once the packet sniffing count is reached, you can end the session and analyze the output in the file.

The general form of the internal FortiOS packet sniffer command is:

# diagnose sniffer packet <interface_name> <‘filter’> <verbose> <count> <tsformat>

To stop the sniffer, type CTRL+C.

<interface_name>

The name of the interface to sniff, such as port1 or internal. This can also be any to sniff all interfaces.

<‘filter’>

What to look for in the information the sniffer reads. none indicates no filtering, and all packets are displayed as the other arguments indicate.

The filter must be inside single quotes (‘).

<verbose>

The level of verbosity as one of:

  • 1 - print header of packets

  • 2 - print header and data from IP of packets

  • 3 - print header and data from Ethernet of packets

  • 4 - print header of packets with interface name

  • 5 - print header and data from IP of packets with interface name

  • 6 - print header and data from Ethernet of packets with interface name

<count>

The number of packets the sniffer reads before stopping. If you don't put a number here, the sniffer will run until you stop it with <CTRL+C>.

<tsformat>

The timestamp format.

  • a: absolute UTC time, yyyy-mm-dd hh:mm:ss.ms
  • l: absolute LOCAL time, yyyy-mm-dd hh:mm:ss.ms
  • otherwise: relative to the start of sniffing, ss.ms
Simple sniffing example:
 # diagnose sniffer packet port1 none 1 3.

This displays the next three packets on the port1 interface using no filtering, and verbose level 1. At this verbosity level, you can see the source IP and port, the destination IP and port, action (such as ack), and sequence numbers.

In the output below, port 443 indicates these are HTTPS packets and that 172.20.120.17 is both sending and receiving traffic.

Head_Office_620b # diagnose sniffer packet port1 none 1 3

interfaces=[port1]

filters=[none]

0.545306 172.20.120.17.52989 -> 172.20.120.141.443: psh 3177924955 ack 1854307757

0.545963 172.20.120.141.443 -> 172.20.120.17.52989: psh 1854307757 ack 3177925808

0.562409 172.20.120.17.52988 -> 172.20.120.141.443: psh 4225311614 ack 3314279933

Advanced sniffing example:

The following commands will report packets on any interface that are traveling between a computer with the host name of “PC1” and a computer with the host name of “PC2”. With verbosity 4 and above, the sniffer trace displays the interface names where traffic enters or leaves the FortiGate unit. To stop the sniffer, type CTRL+C.

FGT# diagnose sniffer packet any "host <PC1> or host <PC2>" 4

or

FGT# diagnose sniffer packet any "(host <PC1> or host <PC2>) and icmp" 4

The following CLI command for a sniffer includes the ARP protocol in the filter which may be useful to troubleshoot a failure in the ARP resolution. For example, PC2 may be down and not responding to the FortiGate ARP requests.

FGT# diagnose sniffer packet any "host <PC1> or host <PC2> or arp" 4

Using packet capture in a firewall policy

FortiGate can capture packets matching a firewall policy. You can enable capture-packet in the firewall policy.

To use packet capture, the FortiGate must have a disk and logging must be enabled in the firewall policy.

To enable packet capture in a policy in the GUI:

  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Enter a name for the policy and configure the required settings.

  3. Enable Log Allowed Traffic and select Security Events or All Sessions.

  4. Enable Capture Packets.

  5. Click OK.

To enable packet capture in a policy in the CLI:
config firewall policy
    edit <id>
        set action accept
        set logtraffic {all | utm}
        set capture-packet enable
    next
end
To view the packet capture:

  1. Go to Log & Report > Forward Traffic and select the log that matches the firewall policy.

  2. Select Details > Archived Data and click on the download button.

  3. Open the downloaded PCAP file in a packet analyzer tool, such as Wireshark.

Packet capture filters

To configure packet capture filters in the GUI:

  1. Go to Network > Packet Capture and click Create New.

  2. Enter the following information:

    Interface

    Select the interface to sniff from the drop-down menu.

    You must select one interface. You cannot change the interface without deleting the filter and creating a new one, unlike the other fields.

    Max Packets to Save

    Enter the number of packets to capture before the filter stops.

    This number cannot be zero. You can halt the capturing before this number is reached.

    Enable Filters

    Select this option to specify filter fields.

    Host(s)

    Enter the IP address of one or more hosts.

    Separate multiple hosts with commas. To enter a range, use a dash without spaces. For example, 172.16.1.5-172.16.1.15, or enter a subnet.

    Port(s)

    Enter one or more ports to capture on the selected interface.

    Separate multiple ports with commas. To enter a range, use a dash without spaces, for example 88-90.

    VLAN(s)

    Enter one or more VLANs (if any). Separate multiple VLANs with commas.

    Protocol

    Enter one or more protocols. Separate multiple protocols with commas. To enter a range, use a dash without spaces. For example, 1-6, 17, 21-25.

    Include IPv6 Packets

    Select this option if you are troubleshooting IPv6 networking, or if your network uses IPv6. Otherwise, leave it disabled.

    Include Non-IP Packets

    The protocols in the list are all IP based except for ICMP (ping).

    Use this feature to capture non-IP based packets. Examples of non-IP packets include IPsec, IGMP, ARP, and ICMP.

  3. Click OK.

Managing filters

If you select a filter, you have the option to start and stop packet capture in the edit window, or download the captured packets. You can also see the filter status and the number of packets captured.

You can select the filter and start capturing packets. When the filter is running, the number of captured packets increases until it reaches the Max Packet Count or you stop it. You cannot download the output file while the filter is running.

Packet capture controls

To start, stop, or resume packet capture, use the symbols on the screen. These symbols are the same as those used for audio or video playback. Hover over the symbol to reveal explanatory text. Similarly, to download the *.pcap file, use the download symbol on the screen.

Downloading the file

You can download the *.pcap file when the packet capture is complete. You must use a third party application, such as Wireshark, to read *,pcap files. This tool provides you with extensive analytics and the full contents of the packets that were captured.

Previous
Next