sniffer
Use these commands to perform a packet trace.
Packet capture, also known as sniffing, a network tap, or logic analyzing, records packets seen by a network interface. This lets you trace low-level connection states to the exact point at which they fail, which may help you to diagnose some types of problems that are otherwise difficult to detect, such as:
-
dropped packets
-
incomplete session setup
-
ARP broadcast storms and bridge loops
-
applications using multiple IP addresses or port numbers
-
wrong routes or stale route cache
-
wrong NAT/PAT
FortiMail units have a built-in sniffer. Packet capture on FortiMail units is similar to that of FortiGate units.
For example, to test routes, you could run diagnose sniffer packet and meanwhile run exec ping. This traces ICMP packets from FortiMail to the destination IP address, shows which route packets take, and shows if any reply traffic is returning. To test email connections, during a packet trace, connect from an SMTP client to FortiMail to verify that FortiMail can reach DNS servers to resolve FQDNs to IP addresses, and that all required port numbers are allowed.
|
Packet capture can be very resource intensive. To minimize the performance impact on your FortiMail unit, use packet capture only during minimal traffic, with a serial console CLI connection rather than a Telnet or SSH CLI connection, filter out irrelevant packets, and stop the command when you are finished. |
Preferences can be set in diagnose sniffer options commands. Alternatively, you can specify arguments at the end of each diagnose sniffer packet command. Arguments override the general preferences. To show current preferences, enter the command with no new value. For example:
FortiMail # diag sniff opt
System Time: 2025-05-27 13:54:20 EDT (Uptime: 3d 23h 56m)
current cli sniffer options:
interface : any
filter : none
count : -1
verbose : 1
timestamp : relative
filename-prefix :
duration : 00:00:30
run-type : foreground
file-size : 50
By default, when you run diagnose sniffer packet, output is shown in your CLI display until you stop it by either:
-
pressing Ctrl + C
-
entering the command
diagnose sniffer stop -
reaching the limit in
<time-limit_str>,<packet-count_int>, or<file-size-limit_int>
|
Don't read packet traces directly in your CLI display. Save it to a file instead. Packets can arrive more rapidly than you can to read them, and many protocols transfer data using encodings. Instead, download and open the PCAP file in a network protocol analyzer application such as Wireshark. To do this, either:
|
Syntax
diagnose sniffer options run-type [{background | foreground | foreground_file}]
diagnose sniffer options duration [<time-limit_str>]
diagnose sniffer options count [<packet-count_int>]
diagnose sniffer options file-size [<file-size-limit_int>]
diagnose sniffer options filename-prefix [<file-name-prefix_str>]
diagnose sniffer options interface [<interface_name>]
diagnose sniffer options filter ['<filter_str>']
diagnose sniffer options timestamp [{a | <timestamp_str>}]
diagnose sniffer options verbose [{1 | 2 | 3 | 4 | 5 | 6}]
diagnose sniffer options
diagnose sniffer packet status
diagnose sniffer packet [{<interface_name> | any} [{'<filter_str>' | 'none'} [{1 | 2 | 3 | 4 | 5 | 6} [<packet-count_int> [{a | <timestamp_str>}]]]]]
diagnose sniffer dump <file_name> <new-file_name> <tftp-server_ipv4>
diagnose sniffer file clear
|
Variable |
Description |
Default |
|
Type either none to capture all packets, or type a filter that specifies which protocols and port numbers that you do or do not want to capture, such as The filter uses the following syntax: '[[src|dst] host {<hostA_fqdn> | <hostA_ipv4>}] [and|or] [[src|dst] host {<hostB_fqdn> | <hostB_ipv4>}] [and|or] [[arp|ip|gre|esp|udp|tcp] port <portA_int>] [and|or] [[arp|ip|gre|esp|udp|tcp] port <portB_int>]'
To display all traffic between two devices, specify the IP addresses of both hosts. To display only forward or only reply packets, indicate which host is the source, and which is the destination. For example, to display UDP port 1812 traffic between source A.example.com and destination either B.example.com or C.example.com, you would enter: 'udp port 1812 and src host A.example.com and dst ( B.example.com or C.example.com )' |
none |
|
|
Type one of the following integers indicating the depth of packet headers and payloads to capture:
For troubleshooting purposes, Fortinet Technical Support may request a verbose level ( |
1 |
|
|
Type either:
|
|
|
|
Select whether to run the packet capture as a:
|
foreground |
|
|
Type a file name prefix. If you will run multiple packet captures, this can help to distinguish them. If there is no prefix, then the filename is the date timestamp, such as:
|
|
|
|
Type the maximum file size, in megabytes (MB), of packets to capture before stopping. |
50 |
|
|
Enter an existing file name. To display a list of PCAP files, enter: |
|
|
|
Type the name of a network interface whose packets you want to capture, such as |
any |
|
|
Enter the new name that the file will have when it is uploaded to the TFTP server. |
|
|
|
Type the number of packets to capture before stopping. If you do not specify a number, or enter |
-1 |
|
|
Enter the IP address of a TFTP server. |
|
|
|
Type the amount of time that the packet capture will run for, in the format
|
00:00:30 |
Example
FortiMail # diagnose sniffer file display
System Time: 2025-05-27 09:38:17 EDT (Uptime: 18d 22h 35m)
_2025-05-23-17-44-27.pcap 3479828 Fri May 23 17:44:27 2025
FortiMail # diagnose sniffer options run-type background
System Time: 2025-05-27 11:50:24 EDT (Uptime: 19d 0h 47m)
run-type : background
FortiMail # diagnose sniffer options duration 00:00:03
System Time: 2025-05-27 11:51:14 EDT (Uptime: 19d 0h 48m)
duration : 00:00:03
FortiMail # diagnose sniffer options filename-prefix "SMTP-server1"
System Time: 2025-05-27 11:52:12 EDT (Uptime: 19d 0h 49m)
filename-prefix : SMTP-server1
FortiMail # diagnose sniffer options interface port2System Time: 2025-05-27 11:52:26 EDT (Uptime: 19d 0h 49m)
interface : port2
FortiMail # diagnose sniffer options filter '(host 172.20.140.29 or host 172.20.212.15) and (tcp port 25 or udp port 53)'
System Time: 2025-05-27 11:56:19 EDT (Uptime: 19d 0h 53m)
filter : (host 172.20.140.29 or host 172.20.212.15) and (tcp port 25 or udp port 53)
FortiMail # diagnose sniffer options verbose 3
System Time: 2025-05-27 11:56:33 EDT (Uptime: 19d 0h 53m)
verbose : 3
FortiMail # diagnose sniffer options timestamp a
System Time: 2025-05-27 11:57:38 EDT (Uptime: 19d 0h 54m)
timestamp : a
FortiMail # diagnose sniffer packet
System Time: 2025-05-27 11:58:55 EDT (Uptime: 19d 0h 55m)
sniffer is running on background!
FortiMail # diagnose sniffer packet status
System Time: 2025-05-27 11:59:09 EDT (Uptime: 19d 0h 56m)
Status : Background sniffer is running
FortiMail # diagnose sniffer packet status
System Time: 2025-05-27 12:03:09 EDT (Uptime: 19d 1h 0m)
Status : No background sniffer running
FortiMail # diagnose sniffer file display
System Time: 2025-05-27 12:06:19 EDT (Uptime: 19d 1h 3m)
_2025-05-23-17-44-27.pcap 3479828 Fri May 23 17:44:27 2025
SMTP-server1_2025-05-27-11-58-55.pcap 24 Tue May 27 11:58:55 2025
FortiMail # diagnose sniffer dump SMTP-server1_2025-05-27-11-58-55.pcap new.pcap 192.168.1.10System Time: 2025-05-27 12:16:31 EDT (Uptime: 19d 1h 13m)
Connect to tftp server 192.168.1.10 ...
Please wait...
...
FortiMail # diag sniffer packet port1 '(host 172.20.140.29 or host 172.20.212.15) and (tcp port 25 or udp port 53)' 3 5System Time: 2025-05-27 12:54:48 EDT (Uptime: 19d 1h 51m)
interfaces=[any]
filters=[(host 172.20.140.29 or host 172.20.212.15) and (tcp port 25 or udp port 53)]
86.781809 172.20.140.29.36630 -> 172.20.140.223.53: udp 34
000000 00 00 00 00 00 00 00 0c 29 74 52 15 08 00 45 00 ........)tR...E.
000010 00 3e 31 40 40 00 40 11 98 49 ac 14 8c 1d ac 14 .>1@@.@..I......
000020 8c df 8f 16 00 35 00 2a 71 61 48 57 01 00 00 01 .....5.*qaHW....
000030 00 00 00 00 00 00 10 46 45 56 4d 30 34 54 4d 32 .......FEVM04TM2
000040 35 30 30 30 31 36 33 00 00 01 00 01 5000163.....
86.782502 172.20.140.223.53 -> 172.20.140.29.36630: udp 109
000000 00 00 00 00 00 01 00 0c 29 51 88 f4 08 00 45 00 ........)Q....E.
000010 00 89 57 20 00 00 40 11 b2 1e ac 14 8c df ac 14 ..W...@.........
000020 8c 1d 00 35 8f 16 00 75 73 01 48 57 81 83 00 01 ...5...us.HW....
000030 00 00 00 01 00 00 10 46 45 56 4d 30 34 54 4d 32 .......FEVM04TM2
000040 35 30 30 30 31 36 33 00 00 01 00 01 00 00 06 00 5000163.........
000050 01 00 00 09 e0 00 40 01 61 0c 72 6f 6f 74 2d 73 ......@.a.root-s
000060 65 72 76 65 72 73 03 6e 65 74 00 05 6e 73 74 6c ervers.net..nstl
000070 64 0c 76 65 72 69 73 69 67 6e 2d 67 72 73 03 63 d.verisign-grs.c
000080 6f 6d 00 78 b3 da 1d 00 00 07 08 00 00 03 84 00 om.x............
000090 09 3a 80 00 01 51 80 .:...Q.
...
11 packets received by filter
0 packets dropped by kernel