Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.4.3 Administration Guide

Using the packet capture tool

7.4.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
Copy Link
Copy Doc ID a36d7fdc-c11e-11ee-8c42-fa163e15d75b:462154
Download PDF

Using the packet capture tool

Administrators can use the packet capture tool to select a packet and view its header and payload information in real-time. Once completed, packets can be filtered by various fields or through the search bar. The capture can be saved as a PCAP file that you can use with a third-party application, such as Wireshark, for further analysis.

Recent capture criteria is saved after the packet capture, and you can select and use the same criteria again.

For information about running a packet capture in the CLI, see Performing a sniffer trace or packet capture.

To use the packet capture tool in the GUI:

  1. Go to Network > Diagnostics and select the Packet Capture tab.

  2. Optionally, select an Interface (any is the default).

  3. Optionally, enable Filters and select a Filtering syntax:

    1. Basic: enter criteria for the Host, Port, and Protocol number.

    2. Advanced: enter a string, such as src host 172.16.200.254 and dst host 172.16.200.1 and dst port 443.

  4. Click Start capture. The capture is visible in real-time.

  5. While the capture is running, select a packet, then click the Headers or Packet Data tabs to view more information.

  6. When the capture is finished, click Save as pcap. The PCAP file is automatically downloaded.

  7. Optionally, use the Search bar or the column headers to filter the results further.

    The packet capture history is listed under Recent Capture Criteria in the right-side of the screen. Clicking the hyperlink will take you back to the main page with the interface and filter settings already populated.

Tooltip

For more granular sniffer output with various verbose settings, use diagnose sniffer packet <interface> <'filter'> <verbose> <count> <tsformat>. See Performing a sniffer trace or packet capture.
To use recent capture criteria:

  1. Go to Network > Diagnostics and select the Packet Capture tab.

  2. Under Recent Capture Criteria, click one of the saved capture criteria. The criteria populate the fields.

  3. Click Start Capture.

Multiple packet captures

Multiple packet captures can be run simultaneously for when many packet captures are needed for one situation. For example, ingress and egress interfaces can be captured at the same time to compare traffic or the physical interface and VPN interface can be captured using different filters to see if packets are leaving the VPN.

The packet capture dialog can be docked and minimized to run in the background. The minimized dialog aligns with other CLI terminals that are minimized.

To run multiple packet captures at the same time:

  1. Go to Network > Diagnostics.

  2. Configure the first packet capture:

    1. Click New packet capture. The Packet Capture (1) dialog is displayed.

    2. Select the Interface and configure other settings as needed.

    3. Click Start capture. The first packet capture begins.

  3. Minimize the packet capture. The packet capture continues to run.

  4. Configure the second packet capture:

    1. Click New packet capture. The Packet Capture (2) dialog is displayed.

    2. Select the Interface and configure other settings as needed.

    3. Click Start capture. The second packet capture begins.

  5. When the captures are complete, expand the dialog and select Save as pcap for each packet capture.

Previous
Next

Using the packet capture tool

Administrators can use the packet capture tool to select a packet and view its header and payload information in real-time. Once completed, packets can be filtered by various fields or through the search bar. The capture can be saved as a PCAP file that you can use with a third-party application, such as Wireshark, for further analysis.

Recent capture criteria is saved after the packet capture, and you can select and use the same criteria again.

For information about running a packet capture in the CLI, see Performing a sniffer trace or packet capture.

To use the packet capture tool in the GUI:

  1. Go to Network > Diagnostics and select the Packet Capture tab.

  2. Optionally, select an Interface (any is the default).

  3. Optionally, enable Filters and select a Filtering syntax:

    1. Basic: enter criteria for the Host, Port, and Protocol number.

    2. Advanced: enter a string, such as src host 172.16.200.254 and dst host 172.16.200.1 and dst port 443.

  4. Click Start capture. The capture is visible in real-time.

  5. While the capture is running, select a packet, then click the Headers or Packet Data tabs to view more information.

  6. When the capture is finished, click Save as pcap. The PCAP file is automatically downloaded.

  7. Optionally, use the Search bar or the column headers to filter the results further.

    The packet capture history is listed under Recent Capture Criteria in the right-side of the screen. Clicking the hyperlink will take you back to the main page with the interface and filter settings already populated.

Tooltip

For more granular sniffer output with various verbose settings, use diagnose sniffer packet <interface> <'filter'> <verbose> <count> <tsformat>. See Performing a sniffer trace or packet capture.
To use recent capture criteria:

  1. Go to Network > Diagnostics and select the Packet Capture tab.

  2. Under Recent Capture Criteria, click one of the saved capture criteria. The criteria populate the fields.

  3. Click Start Capture.

Multiple packet captures

Multiple packet captures can be run simultaneously for when many packet captures are needed for one situation. For example, ingress and egress interfaces can be captured at the same time to compare traffic or the physical interface and VPN interface can be captured using different filters to see if packets are leaving the VPN.

The packet capture dialog can be docked and minimized to run in the background. The minimized dialog aligns with other CLI terminals that are minimized.

To run multiple packet captures at the same time:

  1. Go to Network > Diagnostics.

  2. Configure the first packet capture:

    1. Click New packet capture. The Packet Capture (1) dialog is displayed.

    2. Select the Interface and configure other settings as needed.

    3. Click Start capture. The first packet capture begins.

  3. Minimize the packet capture. The packet capture continues to run.

  4. Configure the second packet capture:

    1. Click New packet capture. The Packet Capture (2) dialog is displayed.

    2. Select the Interface and configure other settings as needed.

    3. Click Start capture. The second packet capture begins.

  5. When the captures are complete, expand the dialog and select Save as pcap for each packet capture.

Previous
Next