Fortinet black logo

Administration Guide

Packet capture

Copy Link
Copy Doc ID 0f66c6af-cee6-11eb-97f7-00505692583a:774772
Download PDF

Packet capture

When troubleshooting networks, it helps to look inside the header of the packets. This helps to determine if the packets, route, and destination are all what you expect. Packet capture is also called a network tap, packet sniffing, or logic analyzing.

To capture packets:
  1. Creating a packet-capture profile.
  2. Starting the packet capture.
  3. Pausing or stopping the packet capture.
  4. Displaying or uploading the packet capture.
  5. Deleting the packet-capture file.

The maximum number of packet-capture profiles and the RAM disk size allotted for packet captures are different for the various platforms:

Platform

Maximum number of profiles

RAM disk size in MB

1xx

8

20

2xx

8

50

4xx

16

75

5xx

16

100

1xxx

16

100

3xxx

16

100

Creating a packet-capture profile

To specify which packets to capture, define a filter and select a switch or system interface on which to capture the packets. You cannot select both a switch interface and a system interface.

The filter uses flexible logic. For example, if you want packets using UDP port 1812 between hosts named forti1 and either forti2 or forti3:

'udp and port 1812 and host forti1 and \( forti2 or forti3 \)'

You can specify the number of packets to capture and the maximum packet length to be captured. The maximum number of packets that can be captured depends on the RAM disk size.

Using the GUI:
  1. Go to System > Packet Capture.
  2. Select Add Packet Capture.
  3. Enter a name for the packet-capture profile.
  4. Select the switch or system interface that you want to capture packets on.
  5. Enter how many packets to capture on the selected interface.
  6. Enter the maximum packet length in bytes to capture on the interface.
  7. If you want to use a filter to select which packets to capture, select the Filter checkbox.
    1. If you want to filter by hosts, enter the IP addresses, separated with commas.
    2. If you want to filter by ports, enter port numbers or ranges, separated with commas.
    3. If you want to filter by VLANs, enter VLAN numbers, separated with commas.
    4. If you want to filter by protocols, enter the numbers, separated with commas.
  8. Select Add.
Using the CLI:

config system sniffer-profile

edit <profile_name>

set filter {<string> | none}

set max-pkt-count <1-maximum>

set max-pkt-len <64-1534>

set switch-interface <switch_interface_name>

set system-interface <system_interface_name>

end

For example:

config system sniffer-profile

edit profile1

set filter none

set max-pkt-count 100

set max-pkt-len 100

set system-interface mgmt

end

Starting the packet capture

After you create a packet-capture profile, you can start the packet capture.

Using the GUI:
  1. Go to System > Packet Capture.
  2. Select .
Using the CLI:

execute system sniffer-profile start <profile-name>

For example:

execute system sniffer-profile start profile1

Pausing or stopping the packet capture

A packet capture continues to run until the max-pkt-cnt value is reached, or the packet capture is paused or stopped. You can restart a paused packet capture.

Using the GUI:

Go to System > Packet Capture.

  • To pause a running packet capture, select .
  • To resume a paused packet capture, select .
Using the CLI:

To pause a running packet capture:

execute system sniffer-profile pause <profile_name>

To restart a paused packet capture:

execute system sniffer-profile start <profile-name>

To stop a running packet capture:

execute system sniffer-profile stop <profile-name>

Displaying or uploading the packet capture

You can display parsed information from the packet capture or upload the .pcap file to a TFTP or FTP server for further analysis.

Using the GUI:
  1. Go to System > Packet Capture.
  2. Select .

    The .pcap file is saved in your Downloads folder.

Using the CLI:

To display the packet capture from a specific packet-capture profile:

get system sniffer-profile capture <profile_name>

To upload the .pcap file for a specific packet-capture profile to an FTP server:

execute system sniffer-profile upload ftp <profile_name> <packet_capture_file_name.pcap> <FTP_server_IP_address:<optional_port>>

To upload the .pcap file for a specific packet-capture profile to a TFTP server:

execute system sniffer-profile upload tftp <profile_name> <packet_capture_file_name.pcap> <TFTP_server_IP_address:<optional_port>>

Deleting the packet-capture file

After you have examined the packet capture, you can manually delete the .pcap file. You can only delete the .pcap after the packet capture is stopped. You cannot delete the .pcap file if the packet capture is paused or running. All .pcap files are deleted when you power cycle the switch.

Using the GUI:
  1. Go to System > Packet Capture.
  2. Select .

To delete all packet-capture files, select Select All and then select Delete.

Using the CLI:

execute system sniffer-profile delete-capture <profile_name>

For example:

execute system sniffer-profile delete-capture profile1

Packet capture

When troubleshooting networks, it helps to look inside the header of the packets. This helps to determine if the packets, route, and destination are all what you expect. Packet capture is also called a network tap, packet sniffing, or logic analyzing.

To capture packets:
  1. Creating a packet-capture profile.
  2. Starting the packet capture.
  3. Pausing or stopping the packet capture.
  4. Displaying or uploading the packet capture.
  5. Deleting the packet-capture file.

The maximum number of packet-capture profiles and the RAM disk size allotted for packet captures are different for the various platforms:

Platform

Maximum number of profiles

RAM disk size in MB

1xx

8

20

2xx

8

50

4xx

16

75

5xx

16

100

1xxx

16

100

3xxx

16

100

Creating a packet-capture profile

To specify which packets to capture, define a filter and select a switch or system interface on which to capture the packets. You cannot select both a switch interface and a system interface.

The filter uses flexible logic. For example, if you want packets using UDP port 1812 between hosts named forti1 and either forti2 or forti3:

'udp and port 1812 and host forti1 and \( forti2 or forti3 \)'

You can specify the number of packets to capture and the maximum packet length to be captured. The maximum number of packets that can be captured depends on the RAM disk size.

Using the GUI:
  1. Go to System > Packet Capture.
  2. Select Add Packet Capture.
  3. Enter a name for the packet-capture profile.
  4. Select the switch or system interface that you want to capture packets on.
  5. Enter how many packets to capture on the selected interface.
  6. Enter the maximum packet length in bytes to capture on the interface.
  7. If you want to use a filter to select which packets to capture, select the Filter checkbox.
    1. If you want to filter by hosts, enter the IP addresses, separated with commas.
    2. If you want to filter by ports, enter port numbers or ranges, separated with commas.
    3. If you want to filter by VLANs, enter VLAN numbers, separated with commas.
    4. If you want to filter by protocols, enter the numbers, separated with commas.
  8. Select Add.
Using the CLI:

config system sniffer-profile

edit <profile_name>

set filter {<string> | none}

set max-pkt-count <1-maximum>

set max-pkt-len <64-1534>

set switch-interface <switch_interface_name>

set system-interface <system_interface_name>

end

For example:

config system sniffer-profile

edit profile1

set filter none

set max-pkt-count 100

set max-pkt-len 100

set system-interface mgmt

end

Starting the packet capture

After you create a packet-capture profile, you can start the packet capture.

Using the GUI:
  1. Go to System > Packet Capture.
  2. Select .
Using the CLI:

execute system sniffer-profile start <profile-name>

For example:

execute system sniffer-profile start profile1

Pausing or stopping the packet capture

A packet capture continues to run until the max-pkt-cnt value is reached, or the packet capture is paused or stopped. You can restart a paused packet capture.

Using the GUI:

Go to System > Packet Capture.

  • To pause a running packet capture, select .
  • To resume a paused packet capture, select .
Using the CLI:

To pause a running packet capture:

execute system sniffer-profile pause <profile_name>

To restart a paused packet capture:

execute system sniffer-profile start <profile-name>

To stop a running packet capture:

execute system sniffer-profile stop <profile-name>

Displaying or uploading the packet capture

You can display parsed information from the packet capture or upload the .pcap file to a TFTP or FTP server for further analysis.

Using the GUI:
  1. Go to System > Packet Capture.
  2. Select .

    The .pcap file is saved in your Downloads folder.

Using the CLI:

To display the packet capture from a specific packet-capture profile:

get system sniffer-profile capture <profile_name>

To upload the .pcap file for a specific packet-capture profile to an FTP server:

execute system sniffer-profile upload ftp <profile_name> <packet_capture_file_name.pcap> <FTP_server_IP_address:<optional_port>>

To upload the .pcap file for a specific packet-capture profile to a TFTP server:

execute system sniffer-profile upload tftp <profile_name> <packet_capture_file_name.pcap> <TFTP_server_IP_address:<optional_port>>

Deleting the packet-capture file

After you have examined the packet capture, you can manually delete the .pcap file. You can only delete the .pcap after the packet capture is stopped. You cannot delete the .pcap file if the packet capture is paused or running. All .pcap files are deleted when you power cycle the switch.

Using the GUI:
  1. Go to System > Packet Capture.
  2. Select .

To delete all packet-capture files, select Select All and then select Delete.

Using the CLI:

execute system sniffer-profile delete-capture <profile_name>

For example:

execute system sniffer-profile delete-capture profile1