Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.6.0 Administration Guide
    7.6.0
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Using the packet capture tool

    Using the packet capture tool

    Administrators can use the packet capture tool to select a packet and view its header and payload information in real-time. Once completed, packets can be filtered by various fields or through the search bar. The capture can be saved as a PCAP file that you can use with a third-party application, such as Wireshark, for further analysis.

    Packet capture criteria can be stored for the re-initiation of packet captures multiple times using the same parameters, such as interface, filters, and so on.

    Packet capture criteria can be created and stored in order to re-initiate packet captures in the GUI with the same parameters. Capture cards in the Network > Diagnostics page are sorted in alphabetical order of the configured name and colored depending on state:

    • Green: The packet capture is running.

    • Gray: The packet capture has not started yet, has completed, or the capture files have been deleted.

    When creating the packet capture:

    • The Name field must be a unique name for the packet capture criteria being configured.

    • Enabling Include non-IP packets allows non-IP address packets to be captured when enabled. Supported non-IP address packet types include ARP, RARP, LLC, LLDP, VLAN, and LACPDU. When the packet capture is complete, non-IP address packets will include header information, however, unsupported types will display as Unknown.

    • After configuring the packet capture criteria, you can choose to Start capture, Save settings for later, or Close. Starting a packet capture or saving the configured settings will both store criteria for future use.

    System event logs are generated when a packet capture is started or stopped in the GUI.

    To use the packet capture tool in the GUI:

    1. Go to Network > Diagnostics and select the Packet Capture tab.

    2. Optionally, select an Interface (any is the default).

    3. Optionally, enable Filters and select a Filtering syntax:

      1. Basic: enter criteria for the Host, Port, and Protocol number.

      2. Advanced: enter a string, such as src host 172.16.200.254 and dst host 172.16.200.1 and dst port 443.

    4. Click Start capture. The capture is visible in real-time.

    5. While the capture is running, select a packet, then click the Headers or Packet data tabs to view more information.

      Note

      When the packet capture is running, disable Auto-scroll to stop automatic scrolling behavior when new packets arrive.

    6. When the capture is finished, click Save as pcap. The PCAP file is automatically downloaded.

    7. Optionally, use the Search bar or the column headers to filter the results further.

    Multiple packet captures

    Multiple packet captures can be run simultaneously for when many packet captures are needed for one situation. For example, ingress and egress interfaces can be captured at the same time to compare traffic or the physical interface and VPN interface can be captured using different filters to see if packets are leaving the VPN.

    The packet capture dialog can be docked and minimized to run in the background. The minimized dialog aligns with other CLI terminals that are minimized.

    Note

    How many packet captures and the number of packets that can be captured depend on the device model.

    Whether the device model has disk storage affects when packet captures are deleted. Without disk storage, packet captures are deleted 24 hours after completion or immediately after reboot. With disk storage, packet captures are deleted after 7 days.

    To find the limit on the number of packet captures supported for a specific device model, use the Maximum Values Table, and search for the object firewall.on-demand-sniffer.
    To run multiple packet captures at the same time:

    1. Go to Network > Diagnostics.

    2. Configure the first packet capture:

      1. Click New packet capture.

      2. Select the Interface and configure other settings as needed.

      3. Click Start capture. The first packet capture begins.

    3. Minimize the packet capture. The packet capture continues to run.

    4. Configure the second packet capture:

      1. Click New packet capture.

      2. Select the Interface and configure other settings as needed.

      3. Click Start capture. The second packet capture begins.

    5. When the captures are complete, expand the dialog and select Save as pcap for each packet capture.

    Controlling GUI packet captures in the CLI

    GUI packet captures can be controlled in the CLI using the on-demand-sniffer commands.

    To control GUI packet captures in the CLI:

    1. Add a new firewall on-demand sniffer table to store the GUI packet capture settings and filters:

      config firewall on-demand-sniffer
    edit "port1 Capture"
        set interface "port1"
        set max-packet-count 10000
        set advanced-filter "net 172.16.200.0/24 and port 443 and port 49257"
    next
end

    2. Run packet capture commands:

      1. List all of the packet captures:

        # diagnose on-demand-sniffer list 
mkey: port1 Capture
interface: port1
status: not_started
start time: 
end time:

      2. Start a packet capture:

        # diagnose on-demand-sniffer start "port1 Capture"

      3. Stop a packet capture:

        # diagnose on-demand-sniffer stop "port1 Capture"

      4. Delete the result of a packet capture:

        # diagnose on-demand-sniffer delete-results "port1 Capture"

    For more information about running a packet capture in the CLI, see Performing a sniffer trace or packet capture.

    Previous
    Next

    Using the packet capture tool

    Using the packet capture tool

    Administrators can use the packet capture tool to select a packet and view its header and payload information in real-time. Once completed, packets can be filtered by various fields or through the search bar. The capture can be saved as a PCAP file that you can use with a third-party application, such as Wireshark, for further analysis.

    Packet capture criteria can be stored for the re-initiation of packet captures multiple times using the same parameters, such as interface, filters, and so on.

    Packet capture criteria can be created and stored in order to re-initiate packet captures in the GUI with the same parameters. Capture cards in the Network > Diagnostics page are sorted in alphabetical order of the configured name and colored depending on state:

    • Green: The packet capture is running.

    • Gray: The packet capture has not started yet, has completed, or the capture files have been deleted.

    When creating the packet capture:

    • The Name field must be a unique name for the packet capture criteria being configured.

    • Enabling Include non-IP packets allows non-IP address packets to be captured when enabled. Supported non-IP address packet types include ARP, RARP, LLC, LLDP, VLAN, and LACPDU. When the packet capture is complete, non-IP address packets will include header information, however, unsupported types will display as Unknown.

    • After configuring the packet capture criteria, you can choose to Start capture, Save settings for later, or Close. Starting a packet capture or saving the configured settings will both store criteria for future use.

    System event logs are generated when a packet capture is started or stopped in the GUI.

    To use the packet capture tool in the GUI:

    1. Go to Network > Diagnostics and select the Packet Capture tab.

    2. Optionally, select an Interface (any is the default).

    3. Optionally, enable Filters and select a Filtering syntax:

      1. Basic: enter criteria for the Host, Port, and Protocol number.

      2. Advanced: enter a string, such as src host 172.16.200.254 and dst host 172.16.200.1 and dst port 443.

    4. Click Start capture. The capture is visible in real-time.

    5. While the capture is running, select a packet, then click the Headers or Packet data tabs to view more information.

      Note

      When the packet capture is running, disable Auto-scroll to stop automatic scrolling behavior when new packets arrive.

    6. When the capture is finished, click Save as pcap. The PCAP file is automatically downloaded.

    7. Optionally, use the Search bar or the column headers to filter the results further.

    Multiple packet captures

    Multiple packet captures can be run simultaneously for when many packet captures are needed for one situation. For example, ingress and egress interfaces can be captured at the same time to compare traffic or the physical interface and VPN interface can be captured using different filters to see if packets are leaving the VPN.

    The packet capture dialog can be docked and minimized to run in the background. The minimized dialog aligns with other CLI terminals that are minimized.

    Note

    How many packet captures and the number of packets that can be captured depend on the device model.

    Whether the device model has disk storage affects when packet captures are deleted. Without disk storage, packet captures are deleted 24 hours after completion or immediately after reboot. With disk storage, packet captures are deleted after 7 days.

    To find the limit on the number of packet captures supported for a specific device model, use the Maximum Values Table, and search for the object firewall.on-demand-sniffer.
    To run multiple packet captures at the same time:

    1. Go to Network > Diagnostics.

    2. Configure the first packet capture:

      1. Click New packet capture.

      2. Select the Interface and configure other settings as needed.

      3. Click Start capture. The first packet capture begins.

    3. Minimize the packet capture. The packet capture continues to run.

    4. Configure the second packet capture:

      1. Click New packet capture.

      2. Select the Interface and configure other settings as needed.

      3. Click Start capture. The second packet capture begins.

    5. When the captures are complete, expand the dialog and select Save as pcap for each packet capture.

    Controlling GUI packet captures in the CLI

    GUI packet captures can be controlled in the CLI using the on-demand-sniffer commands.

    To control GUI packet captures in the CLI:

    1. Add a new firewall on-demand sniffer table to store the GUI packet capture settings and filters:

      config firewall on-demand-sniffer
    edit "port1 Capture"
        set interface "port1"
        set max-packet-count 10000
        set advanced-filter "net 172.16.200.0/24 and port 443 and port 49257"
    next
end

    2. Run packet capture commands:

      1. List all of the packet captures:

        # diagnose on-demand-sniffer list 
mkey: port1 Capture
interface: port1
status: not_started
start time: 
end time:

      2. Start a packet capture:

        # diagnose on-demand-sniffer start "port1 Capture"

      3. Stop a packet capture:

        # diagnose on-demand-sniffer stop "port1 Capture"

      4. Delete the result of a packet capture:

        # diagnose on-demand-sniffer delete-results "port1 Capture"

    For more information about running a packet capture in the CLI, see Performing a sniffer trace or packet capture.

    Previous
    Next