Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.4.5 Administration Guide
    7.4.5
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Performing a sniffer trace or packet capture

    Performing a sniffer trace or packet capture

    When you troubleshoot networks and routing in particular, it helps to look inside the headers of packets to determine if they are traveling the route that you expect them to take. Packet sniffing is also known as network tap, packet capture, or logic analyzing.

    For more information on controlling GUI packet captures in the CLI, see Using the packet capture tool.

    caution icon

    For FortiGates with NP2, NP4, or NP6 interfaces that are offloading traffic, disable offloading on these interfaces before you perform a trace or it will change the sniffer trace.

    Sniffing packets

    To perform a sniffer trace in the CLI:

    Before you start sniffing packets, you should prepare to capture the output to a file. A large amount of data may scroll by and you will not be able to see it without saving it first. One method is to use a terminal program like PuTTY to connect to the FortiGate CLI. Once the packet sniffing count is reached, you can end the session and analyze the output in the file.

    The general form of the internal FortiOS packet sniffer command is:

    # diagnose sniffer packet <interface_name> <'filter'> <verbose> <count> <tsformat>

    To stop the sniffer, type CTRL+C.

    <interface_name>

    The name of the interface to sniff, such as port1 or internal. This can also be any to sniff all interfaces.

    <'filter'>

    What to look for in the information the sniffer reads. none indicates no filtering, and all packets are displayed as the other arguments indicate.

    The filter must be inside single quotes (‘).

    <verbose>

    The level of verbosity as one of:

    • 1 - print header of packets

    • 2 - print header and data from IP of packets

    • 3 - print header and data from Ethernet of packets

    • 4 - print header of packets with interface name

    • 5 - print header and data from IP of packets with interface name

    • 6 - print header and data from Ethernet of packets with interface name

    <count>

    The number of packets the sniffer reads before stopping. If you don't put a number here, the sniffer will run until you stop it with <CTRL+C>.

    <tsformat>

    The timestamp format.

    • a: absolute UTC time, yyyy-mm-dd hh:mm:ss.ms

    • l: absolute LOCAL time, yyyy-mm-dd hh:mm:ss.ms

    • otherwise: relative to the start of sniffing, ss.ms
    Simple sniffing example:
     # diagnose sniffer packet port1 none 1 3.

    This displays the next three packets on the port1 interface using no filtering, and verbose level 1. At this verbosity level, you can see the source IP and port, the destination IP and port, action (such as ack), and sequence numbers.

    In the output below, port 443 indicates these are HTTPS packets and that 172.20.120.17 is both sending and receiving traffic.

    Head_Office_620b # diagnose sniffer packet port1 none 1 3
interfaces=[port1]
filters=[none]
0.545306 172.20.120.17.52989 -> 172.20.120.141.443: psh 3177924955 ack 1854307757 
0.545963 172.20.120.141.443 -> 172.20.120.17.52989: psh 1854307757 ack 3177925808 
0.562409 172.20.120.17.52988 -> 172.20.120.141.443: psh 4225311614 ack 3314279933

    Using packet capture in a firewall policy

    FortiGate can capture packets matching a firewall policy. You can enable capture-packet in the firewall policy.

    To use packet capture, the FortiGate must have a disk and logging must be enabled in the firewall policy.

    For information about using the packet capture tool in the GUI, see Using the packet capture tool.

    To enable packet capture in a policy in the GUI:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Enter a name for the policy and configure the required settings.

    3. Enable Log Allowed Traffic and select Security Events or All Sessions.

    4. Enable Capture Packets.

    5. Click OK.

    To enable packet capture in a policy in the CLI:
    config firewall policy
    edit <id>
        set action accept
        set logtraffic {all | utm}
        set capture-packet enable
    next
end
    To view the packet capture:

    1. Go to Log & Report > Forward Traffic and select the log that matches the firewall policy.

    2. Select Details > Archived Data and click on the download button.

    3. Open the downloaded PCAP file in a packet analyzer tool, such as Wireshark.

    Previous
    Next

    Performing a sniffer trace or packet capture

    Performing a sniffer trace or packet capture

    When you troubleshoot networks and routing in particular, it helps to look inside the headers of packets to determine if they are traveling the route that you expect them to take. Packet sniffing is also known as network tap, packet capture, or logic analyzing.

    For more information on controlling GUI packet captures in the CLI, see Using the packet capture tool.

    caution icon

    For FortiGates with NP2, NP4, or NP6 interfaces that are offloading traffic, disable offloading on these interfaces before you perform a trace or it will change the sniffer trace.

    Sniffing packets

    To perform a sniffer trace in the CLI:

    Before you start sniffing packets, you should prepare to capture the output to a file. A large amount of data may scroll by and you will not be able to see it without saving it first. One method is to use a terminal program like PuTTY to connect to the FortiGate CLI. Once the packet sniffing count is reached, you can end the session and analyze the output in the file.

    The general form of the internal FortiOS packet sniffer command is:

    # diagnose sniffer packet <interface_name> <'filter'> <verbose> <count> <tsformat>

    To stop the sniffer, type CTRL+C.

    <interface_name>

    The name of the interface to sniff, such as port1 or internal. This can also be any to sniff all interfaces.

    <'filter'>

    What to look for in the information the sniffer reads. none indicates no filtering, and all packets are displayed as the other arguments indicate.

    The filter must be inside single quotes (‘).

    <verbose>

    The level of verbosity as one of:

    • 1 - print header of packets

    • 2 - print header and data from IP of packets

    • 3 - print header and data from Ethernet of packets

    • 4 - print header of packets with interface name

    • 5 - print header and data from IP of packets with interface name

    • 6 - print header and data from Ethernet of packets with interface name

    <count>

    The number of packets the sniffer reads before stopping. If you don't put a number here, the sniffer will run until you stop it with <CTRL+C>.

    <tsformat>

    The timestamp format.

    • a: absolute UTC time, yyyy-mm-dd hh:mm:ss.ms

    • l: absolute LOCAL time, yyyy-mm-dd hh:mm:ss.ms

    • otherwise: relative to the start of sniffing, ss.ms
    Simple sniffing example:
     # diagnose sniffer packet port1 none 1 3.

    This displays the next three packets on the port1 interface using no filtering, and verbose level 1. At this verbosity level, you can see the source IP and port, the destination IP and port, action (such as ack), and sequence numbers.

    In the output below, port 443 indicates these are HTTPS packets and that 172.20.120.17 is both sending and receiving traffic.

    Head_Office_620b # diagnose sniffer packet port1 none 1 3
interfaces=[port1]
filters=[none]
0.545306 172.20.120.17.52989 -> 172.20.120.141.443: psh 3177924955 ack 1854307757 
0.545963 172.20.120.141.443 -> 172.20.120.17.52989: psh 1854307757 ack 3177925808 
0.562409 172.20.120.17.52988 -> 172.20.120.141.443: psh 4225311614 ack 3314279933

    Using packet capture in a firewall policy

    FortiGate can capture packets matching a firewall policy. You can enable capture-packet in the firewall policy.

    To use packet capture, the FortiGate must have a disk and logging must be enabled in the firewall policy.

    For information about using the packet capture tool in the GUI, see Using the packet capture tool.

    To enable packet capture in a policy in the GUI:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Enter a name for the policy and configure the required settings.

    3. Enable Log Allowed Traffic and select Security Events or All Sessions.

    4. Enable Capture Packets.

    5. Click OK.

    To enable packet capture in a policy in the CLI:
    config firewall policy
    edit <id>
        set action accept
        set logtraffic {all | utm}
        set capture-packet enable
    next
end
    To view the packet capture:

    1. Go to Log & Report > Forward Traffic and select the log that matches the firewall policy.

    2. Select Details > Archived Data and click on the download button.

    3. Open the downloaded PCAP file in a packet analyzer tool, such as Wireshark.

    Previous
    Next