Fortinet black logo

Administration Guide

Using the packet capture tool

Using the packet capture tool

Administrators can use the packet capture tool to select a packet and view its header and payload information in real-time. Once completed, packets can be filtered by various fields or through the search bar. The capture can be saved as a PCAP file that you can use with a third-party application, such as Wireshark, for further analysis.

Recent capture criteria is saved after the packet capture, and you can select and use the same criteria again.

For information about running a packet capture in the CLI, see Performing a sniffer trace or packet capture.

To use the packet capture tool in the GUI:
  1. Go to Network > Diagnostics and select the Packet Capture tab.

  2. Optionally, select an Interface (any is the default).

  3. Optionally, enable Filters and select a Filtering syntax:

    1. Basic: enter criteria for the Host, Port, and Protocol number.

    2. Advanced: enter a string, such as src host 172.16.200.254 and dst host 172.16.200.1 and dst port 443.

  4. Click Start capture. The capture is visible in real-time.

  5. While the capture is running, select a packet, then click the Headers or Packet Data tabs to view more information.

  6. When the capture is finished, click Save as pcap. The PCAP file is automatically downloaded.

  7. Optionally, use the Search bar or the column headers to filter the results further.

    The packet capture history is listed under Recent Capture Criteria in the right-side of the screen. Clicking the hyperlink will take you back to the main page with the interface and filter settings already populated.

Tooltip

For more granular sniffer output with various verbose settings, use diagnose sniffer packet <interface> <'filter'> <verbose> <count> <tsformat>. See Performing a sniffer trace or packet capture.

To use recent capture criteria:
  1. Go to Network > Diagnostics and select the Packet Capture tab.

  2. Under Recent Capture Criteria, click one of the saved capture criteria. The criteria populate the fields.

  3. Click Start Capture.

Using the packet capture tool

Administrators can use the packet capture tool to select a packet and view its header and payload information in real-time. Once completed, packets can be filtered by various fields or through the search bar. The capture can be saved as a PCAP file that you can use with a third-party application, such as Wireshark, for further analysis.

Recent capture criteria is saved after the packet capture, and you can select and use the same criteria again.

For information about running a packet capture in the CLI, see Performing a sniffer trace or packet capture.

To use the packet capture tool in the GUI:
  1. Go to Network > Diagnostics and select the Packet Capture tab.

  2. Optionally, select an Interface (any is the default).

  3. Optionally, enable Filters and select a Filtering syntax:

    1. Basic: enter criteria for the Host, Port, and Protocol number.

    2. Advanced: enter a string, such as src host 172.16.200.254 and dst host 172.16.200.1 and dst port 443.

  4. Click Start capture. The capture is visible in real-time.

  5. While the capture is running, select a packet, then click the Headers or Packet Data tabs to view more information.

  6. When the capture is finished, click Save as pcap. The PCAP file is automatically downloaded.

  7. Optionally, use the Search bar or the column headers to filter the results further.

    The packet capture history is listed under Recent Capture Criteria in the right-side of the screen. Clicking the hyperlink will take you back to the main page with the interface and filter settings already populated.

Tooltip

For more granular sniffer output with various verbose settings, use diagnose sniffer packet <interface> <'filter'> <verbose> <count> <tsformat>. See Performing a sniffer trace or packet capture.

To use recent capture criteria:
  1. Go to Network > Diagnostics and select the Packet Capture tab.

  2. Under Recent Capture Criteria, click one of the saved capture criteria. The criteria populate the fields.

  3. Click Start Capture.