Fortinet white logo
Fortinet white logo

sniffer-packet

sniffer-packet

Capture network packets.

Usage

execute sniffer-packet <port> <filter> <count> <timestamp_format> <verbose>

Arguments

Argument

Description

port

Enter the name of the network interface on which to capture packets.

The following values are accepted:

  • port1

  • port2

  • port3

  • port4

  • any

Enter any to capture packets on all interfaces.

filter

Enter none to capture all packets, or enter a filter that specifies which protocols and port numbers to capture, such as tcp port 25. Surround the filter string in quotes.

The filter uses the following syntax:

'[[src|dst] host {<host1_fqdn> | <host1_ipv4>}] [and|or] [[src|dst] host {<host2_fqdn> | <host2_ipv4>}] [and|or] [[arp|ip|gre|esp|udp|tcp] port <port1_int>] [and|or] [[arp|ip|gre|esp|udp|tcp] port <port2_int>]'

To display only the traffic between two hosts, specify the IP addresses of both hosts. To display only forward or only reply packets, indicate which host is the source and which is the destination.

For example, to display UDP port 1812 traffic between 1.example.com and either 2.example.com or 3.example.com, use the following filter:

'udp and port 1812 and src host 1.example.com and dst ( 2.example.com or 2.example.com )'

count

Enter the number of packets to capture.

timestamp_format

Enter the timestamp format to use in the output. Enter one of the following:

  • a: Absolute UTS time (yyyy-mm-dd hh:mm:ss.ms)

  • r: Relative to the start of sniffing (hh:mm:ss.ms)

verbose

Enter the verbosity level of the output.

The following numeric values are accepted:

  • 1: Print just the header of packets (default).

  • 2: Print header and data from IP of packets, and slightly more verbose output, including the time to live, identification, total length, and options in an IP packet. This level also enables additional packet integrity checks such as verifying the IP and ICMP header checksum.

  • 3: Print header and data from ethernet of packets (if available), and even more verbose output. This includes additional fields from NFS reply packets. SMB packets are fully decoded and telnet SB ... SE options are printed in full.

For troubleshooting purposes, Fortinet Technical Support may request the most verbose level (3).

sniffer-packet

sniffer-packet

Capture network packets.

Usage

execute sniffer-packet <port> <filter> <count> <timestamp_format> <verbose>

Arguments

Argument

Description

port

Enter the name of the network interface on which to capture packets.

The following values are accepted:

  • port1

  • port2

  • port3

  • port4

  • any

Enter any to capture packets on all interfaces.

filter

Enter none to capture all packets, or enter a filter that specifies which protocols and port numbers to capture, such as tcp port 25. Surround the filter string in quotes.

The filter uses the following syntax:

'[[src|dst] host {<host1_fqdn> | <host1_ipv4>}] [and|or] [[src|dst] host {<host2_fqdn> | <host2_ipv4>}] [and|or] [[arp|ip|gre|esp|udp|tcp] port <port1_int>] [and|or] [[arp|ip|gre|esp|udp|tcp] port <port2_int>]'

To display only the traffic between two hosts, specify the IP addresses of both hosts. To display only forward or only reply packets, indicate which host is the source and which is the destination.

For example, to display UDP port 1812 traffic between 1.example.com and either 2.example.com or 3.example.com, use the following filter:

'udp and port 1812 and src host 1.example.com and dst ( 2.example.com or 2.example.com )'

count

Enter the number of packets to capture.

timestamp_format

Enter the timestamp format to use in the output. Enter one of the following:

  • a: Absolute UTS time (yyyy-mm-dd hh:mm:ss.ms)

  • r: Relative to the start of sniffing (hh:mm:ss.ms)

verbose

Enter the verbosity level of the output.

The following numeric values are accepted:

  • 1: Print just the header of packets (default).

  • 2: Print header and data from IP of packets, and slightly more verbose output, including the time to live, identification, total length, and options in an IP packet. This level also enables additional packet integrity checks such as verifying the IP and ICMP header checksum.

  • 3: Print header and data from ethernet of packets (if available), and even more verbose output. This includes additional fields from NFS reply packets. SMB packets are fully decoded and telnet SB ... SE options are printed in full.

For troubleshooting purposes, Fortinet Technical Support may request the most verbose level (3).