Packet capture
When troubleshooting networks, it helps to look inside the header of the packets. This helps to determine if the packets, route, and destination are all what you expect. Packet capture is also called a network tap, packet sniffing, or logic analyzing.
To capture packets:
- Creating a packet-capture profile.
- Starting the packet capture.
- Pausing or stopping the packet capture.
- Displaying or uploading the packet capture.
- Deleting the packet-capture file.
The maximum number of packet-capture profiles and the RAM disk size allotted for packet captures are different for the various platforms:
Platform |
Maximum number of profiles |
RAM disk size in MB |
---|---|---|
1xx |
8 |
20 |
2xx |
8 |
50 |
4xx |
16 |
75 |
5xx |
16 |
100 |
1xxx |
16 |
100 |
3xxx |
16 |
100 |
Creating a packet-capture profile
To specify which packets to capture, define a filter and select a switch or system interface on which to capture the packets. You cannot select both a switch interface and a system interface.
The filter uses flexible logic. For example, if you want packets using UDP port 1812 between hosts named forti1
and either forti2
or forti3
:
'udp and port 1812 and host forti1 and \( forti2 or forti3 \)'
You can specify the number of packets to capture and the maximum packet length to be captured. The maximum number of packets that can be captured depends on the RAM disk size.
Using the GUI:
- Go to System > Packet Capture.
- Select Add Packet Capture.
- Enter a name for the packet-capture profile.
- Select the switch or system interface that you want to capture packets on.
- Enter how many packets to capture on the selected interface.
- Enter the maximum packet length in bytes to capture on the interface.
- If you want to use a filter to select which packets to capture, select the Filter checkbox.
- If you want to filter by hosts, enter the IP addresses, separated with commas.
- If you want to filter by ports, enter port numbers or ranges, separated with commas.
- If you want to filter by VLANs, enter VLAN numbers, separated with commas.
- If you want to filter by protocols, enter the numbers, separated with commas.
- Select Add.
Using the CLI:
config system sniffer-profile
edit <profile_name>
set filter {<string> | none}
set max-pkt-count <1-maximum>
set max-pkt-len <64-1534>
set switch-interface <switch_interface_name>
set system-interface <system_interface_name>
end
For example:
config system sniffer-profile
edit profile1
set filter none
set max-pkt-count 100
set max-pkt-len 100
set system-interface mgmt
end
Starting the packet capture
After you create a packet-capture profile, you can start the packet capture.
Using the GUI:
- Go to System > Packet Capture.
- Select .
Using the CLI:
execute system sniffer-profile start <profile-name>
For example:
execute system sniffer-profile start profile1
Pausing or stopping the packet capture
A packet capture continues to run until the max-pkt-cnt
value is reached, or the packet capture is paused or stopped. You can restart a paused packet capture.
Using the GUI:
Go to System > Packet Capture.
- To pause a running packet capture, select .
- To resume a paused packet capture, select .
Using the CLI:
To pause a running packet capture:
execute system sniffer-profile pause <profile_name>
To restart a paused packet capture:
execute system sniffer-profile start <profile-name>
To stop a running packet capture:
execute system sniffer-profile stop <profile-name>
Displaying or uploading the packet capture
You can display parsed information from the packet capture or upload the .pcap file to a TFTP or FTP server for further analysis.
Using the GUI:
- Go to System > Packet Capture.
- Select .
The
.pcap
file is saved in your Downloads folder.
Using the CLI:
To display the packet capture from a specific packet-capture profile:
get system sniffer-profile capture <profile_name>
To upload the .pcap
file for a specific packet-capture profile to an FTP server:
execute system sniffer-profile upload ftp <profile_name> <packet_capture_file_name.pcap> <FTP_server_IP_address:<optional_port>>
To upload the .pcap
file for a specific packet-capture profile to a TFTP server:
execute system sniffer-profile upload tftp <profile_name> <packet_capture_file_name.pcap> <TFTP_server_IP_address:<optional_port>>
Deleting the packet-capture file
After you have examined the packet capture, you can manually delete the .pcap
file. You can only delete the .pcap
after the packet capture is stopped. You cannot delete the .pcap
file if the packet capture is paused or running. All .pcap
files are deleted when you power cycle the switch.
Using the GUI:
- Go to System > Packet Capture.
- Select .
To delete all packet-capture files, select Select All and then select Delete.
Using the CLI:
execute system sniffer-profile delete-capture <profile_name>
For example:
execute system sniffer-profile delete-capture profile1