diagnose sniffer dump
Use this comand to dump the data flow records of the network port to a specific TFTP server.
Ensure the remote TFTP server has the file create permission.
Syntax
diagnose sniffer dump <tftp IP> <local sniffer file name> <remote tftp server file name>
To dump files from FortiNDR with the CLI:
- Specifiy the options and filters for file dumping with the following command:
diagnose sniffer packet
If traffic dumping is running in the background, you can stop or view the progress with the
stop
andstatus
variables. For more information, see diagnose sniffer packet. - Get the PCAP’s file name with the following command.
diagnose sniffer file
You will need the file name to delete all captured PCAP files. For more information, see diagnose sniffer file.
- Transfer the previous dumped file to a TFTP server for further analysis.
diagnose sniffer dump
Example:
FortiNDR-3500F # diagnose sniffer packet port1 "none" 1 20000 a chi.pcap 1 background
System Time: 2022-11-17 17:40:24 PST (Uptime: 14d 20h 22m)
interfaces=[port1]
filters=[none]
sniffer dump into chi.pcap (500M size limit)
last about 60 second
37 packets received by filter
0 packets dropped by kernel
FortiNDR-3500F # diagnose sniffer file display
System Time: 2022-11-17 17:40:40 PST (Uptime: 14d 20h 22m)
abc.pcap_2022-10-13-16-34-34.pcap 278 Thu Oct 13 16:34:34 2022
chi.pcap_2022-11-17-17-40-24.pcap 24 Thu Nov 17 17:40:24 2022
chi.pcap_2022-10-13-16-29-37.pcap 57208 Thu Oct 13 16:29:37 2022
chi.pcap_2022-10-13-16-27-06.pcap 98162098 Thu Oct 13 16:27:06 2022
FortiNDR-3500F # diagnose sniffer dump 172.19.235.204 chi.pcap_2022-11-17-17-40-24.pcap new.pcap
System Time: 2022-11-17 17:41:33 PST (Uptime: 14d 20h 23m)
Connect to tftp server 172.19.235.204 ...
Please wait...
#
Send sniffer file to tftp server OK.