Fortinet black logo

CLI Reference

network sniffer

network sniffer

Use this command to perform a packet trace on one or more network interfaces.

Packet capture, also known as sniffing or packet analysis, records some or all of the packets seen by a network interface (that is, the network interface is used in promiscuous mode). By recording packets, you can trace connection states to the exact point at which they fail, which may help you to diagnose some types of problems that are otherwise difficult to detect.

FortiWeb appliances have a built-in sniffer. Packet capture on FortiWeb appliances is similar to that of FortiGate appliances. Packet capture output appears on your CLI display until you stop it by pressing Ctrl+C, or until it reaches the number of packets that you have specified to capture.

Packet capture can be very resource intensive. To minimize the performance impact on your FortiWeb appliance, use packet capture only during periods of minimal traffic, with a local console CLI connection rather than a Telnet or SSH CLI connection, and be sure to stop the command when you are finished.

If your FortiWeb model uses Data Plane Development Kit (DPDK) for packet processing (for example, models 3000E, 3010E and 4000E) and is operating in Offline Protection mode, you cannot use this command with ports that are configured as data capture ports. To use the command with this type of port, disable the corresponding server policy or configure the policy with a different data capture port.

To use this command, your administrator account’s access control profile must have at least r permission to the prof_admin area. For details, see Permissions.

Syntax

diagnose network sniffer [{any | "<interface_name>"} [{none | "<filter_str>"} [{1 | 2 | 3} [<packets_int>]]]]

Variable Description Default

{any | "<interface_name>"}

Enter the name of a network interface whose packets you want to capture, such as port1, or type any to capture packets on all network interfaces.

If you omit this and the following parameters for the command, the command captures all packets on all network interfaces.

No default.

{none | "<filter_str>"}

Enter either none to capture all packets, or type a filter that specifies which protocols and port numbers that you do or do not want to capture, such as "tcp port 25".

Filters use tcpdump (http://www.tcpdump.org) syntax:

"[[src|dst] host {<host1_fqdn> | <host1_ipv4>}] [and|or] [[src|dst] host {<host2_fqdn> | <host2_ipv4>}] [and|or] [[arp|ip|gre|esp|udp|tcp] port <port1_int>] [and|or] [[arp|ip|gre|esp|udp|tcp] port <port2_int>]"

To display only the traffic between two hosts, specify the IP addresses of both hosts. To display only forward or reply packets, indicate which host is the source, and which is the destination.

For example, to display UDP port 1812 traffic between 1.example.com and either 2.example.com or 3.example.com, you would enter:

"udp and port 1812 and src host 1.example.com and dst \( 2.example.com or 2.example.com \)"

none

{1 | 2 | 3}

Type one of the following integers indicating the depth of packet headers and payloads to capture:

  • 1—Display the packet capture timestamp, plus basic fields of the IP header: the source IP address, the destination IP address, protocol name, and destination port number.

    Does not display all fields of the IP header; it omits:

    • IP version number bits
    • Internet header length (ihl)
    • type of service/differentiated services code point (tos)
    • explicit congestion notification
    • total packet or fragment length
    • packet ID
    • IP header checksum
    • time to live (TTL)
    • fragment offset
    • options bits
  • 2—All of the output from 1, plus the packet payload in both hexadecimal and ASCII.
  • 3—All of the output from 2, plus the link layer (Ethernet) header.

For troubleshooting purposes, Fortinet Technical Support may request the most verbose level (3).

1

<packets_int>

Enter the number of packets to capture before stopping.

If you do not specify a number, the command will continue to capture packets until you press Ctrl+C.

Packet capture continues until you press Ctrl + C.

Example

The following example captures three packets of traffic from any port number or protocol and between any source and destination (a filter of none), which passes through the network interface named port1. The capture uses a low level of verbosity (indicated by 1).

Commands that you would type are highlighted in bold; responses from the FortiWeb appliance are not bolded.

FortiWeb# diagnose network sniffer port1 none 1 3

filters=[none]

0.918957 192.168.0.1.36701 -> 192.168.0.2.22: ack 2598697710

0.919024 192.168.0.2.22 -> 192.168.0.1.36701: psh 2598697710 ack 2587945850

0.919061 192.168.0.2.22 -> 192.168.0.1.36701: psh 2598697826 ack 2587945850

If you are familiar with the TCP protocol, you may notice that the packets are from the middle of a TCP connection. Because port 22 is used (highlighted above in bold), which is the standard port number for SSH, the packets might be from an SSH session.

Example

The following example captures packets traffic on TCP port 80 (typically HTTP) between two hosts, 192.168.0.1 and 192.168.0.2. The capture uses a low level of verbosity (indicated by 1). Because the filter does not specify either host as the source or destination in the IP header (src or dst), the sniffer captures both forward and reply traffic.

Commands that you would type are highlighted in bold; responses from the FortiWeb appliance are not bolded.

FortiWeb# diagnose network sniffer packet port1 'host 192.168.0.2 or host 192.168.0.1 and tcp port 80' 1

A specific number of packets to capture is not specified. As a result, the packet capture continues until the administrator presses Ctrl+C. The sniffer then confirms that five packets were seen by that network interface. Below is a sample output.

192.168.0.2.3625 -> 192.168.0.1.80: syn 2057246590

192.168.0.1.80 -> 192.168.0.2.3625: syn 3291168205 ack 2057246591

192.168.0.2.3625 -> 192.168.0.1.80: ack 3291168206

192.168.0.2.3625 -> 192.168.0.1.80: psh 2057246591 ack 3291168206

192.168.0.1.80 -> 192.168.0.2.3625: ack 2057247265

5 packets received by filter

0 packets dropped by kernel

Example

The following example captures TCP port 443 (typically HTTPS) traffic occurring through port1, regardless of its source or destination IP address. The capture uses a high level of verbosity (indicated by 3).

The number of packets to capture is not specified, so the packet capture continues until the administrator presses Ctrl+C. The sniffer then states how many packets were seen by that network interface.

Verbose output can be very long. As a result, output shown below is truncated after only one packet.

Commands that you would type are highlighted in bold; responses from the FortiWeb appliance are not bolded.

FortiWeb# diagnose network sniffer packet port1 'tcp port 443' 3

interfaces=[port1]

filters=[tcp port 443]

10.651905 192.168.0.1.50242 -> 192.168.0.2.443: syn 761714898

0x0000 0009 0f09 0001 0009 0f89 2914 0800 4500 ..........)...E.

0x0010 003c 73d1 4000 4006 3bc6 d157 fede ac16 .<s.@.@.;..W....

0x0020 0ed8 c442 01bb 2d66 d8d2 0000 0000 a002 ...B..-f........

0x0030 16d0 4f72 0000 0204 05b4 0402 080a 03ab ..Or............

Instead of reading packet capture output directly in your CLI display, you usually should save the output to a plain text file using your CLI client. Saving the output provides several advantages. Packets can arrive more rapidly than you may be able to read them in the buffer of your CLI display, and many protocols transfer data using encodings other than US-ASCII. It is often, but not always, preferable to analyze the output by loading it into in a network protocol analyzer application such as Wireshark (http://www.wireshark.org/).

For example, you could use PuTTY or Microsoft HyperTerminal to save the sniffer output to a file. Methods may vary. See the documentation for your CLI client.

Requirements
To view packet capture output using PuTTY and Wireshark

On your management computer, start PuTTY.

Use PuTTY to connect to the FortiWeb appliance using either a local console, SSH, or Telnet connection. For details, see Connecting to the CLI.

Type the packet capture command, such as:

diag network sniffer packet port1 'tcp port 443' 3 100

but do not press Enter yet.

In the upper left corner of the window, click the PuTTY icon to open its drop-down menu, then select Change Settings.

In the Category tree on the left, go to Session > Logging.

Select Printable output.

In Log file name, click the Browse button, then choose a directory path and file name such as C:\Users\MyAccount\packet_capture.txt to save the packet capture to a plain text file. You do not need to save it with the .log file extension.

Click Apply.

Press Enter to send the CLI command to the FortiMail appliance, beginning packet capture.

If you have not specified a number of packets to capture, when you have captured all packets that you want to analyze, press Ctrl + C to stop the capture.

Close the PuTTY window.

Open the packet capture file using a plain text editor such as Notepad.

Delete the first and last lines, which look like this:

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 6/12/2020.07.25 11:34:40 =~=~=~=~=~=~=~=~=~=~=~=

FortiWeb-2000 #


These lines are a PuTTY timestamp and a command prompt, which are not part of the packet capture. If you do not delete them, they could interfere with the script in the next step.

Convert the plain text file to a format recognizable by your network protocol analyzer application.

You can convert the plain text file to a format recognizable by Wireshark (.pcap) using the fgt2eth.pl Perl script. To download fgt2eth.pl, see the Fortinet Knowledge Base article "Using the FortiOS built-in packet sniffer:"

http://kb.fortinet.com/kb/documentLink.do?externalId=11186

The fgt2eth.pl script is provided as-is, without any implied warranty or technical support, and requires that you first install a Perl module compatible with your operating system.

To use fgt2eth.pl, open a command prompt, then enter a command such as the following:

fgt2eth.pl -in packet_capture.txt -out packet_capture.pcap

where:

  • fgt2eth.pl is the name of the conversion script; include the path relative to the current directory, which is indicated by the command prompt
  • packet_capture.txt is the name of the packet capture’s output file; include the directory path relative to your current directory
  • packet_capture.pcap is the name of the conversion script’s output file; include the directory path relative to your current directory where you want the converted output to be saved
Methods to open a command prompt vary by operating system.
On Windows XP, go to Start > Run and enter cmd.
On Windows 7, click the Start (Windows logo) menu to open it, then enter cmd.

Open the converted file in your network protocol analyzer application. For further instructions, see the documentation for that application.

network sniffer

Use this command to perform a packet trace on one or more network interfaces.

Packet capture, also known as sniffing or packet analysis, records some or all of the packets seen by a network interface (that is, the network interface is used in promiscuous mode). By recording packets, you can trace connection states to the exact point at which they fail, which may help you to diagnose some types of problems that are otherwise difficult to detect.

FortiWeb appliances have a built-in sniffer. Packet capture on FortiWeb appliances is similar to that of FortiGate appliances. Packet capture output appears on your CLI display until you stop it by pressing Ctrl+C, or until it reaches the number of packets that you have specified to capture.

Packet capture can be very resource intensive. To minimize the performance impact on your FortiWeb appliance, use packet capture only during periods of minimal traffic, with a local console CLI connection rather than a Telnet or SSH CLI connection, and be sure to stop the command when you are finished.

If your FortiWeb model uses Data Plane Development Kit (DPDK) for packet processing (for example, models 3000E, 3010E and 4000E) and is operating in Offline Protection mode, you cannot use this command with ports that are configured as data capture ports. To use the command with this type of port, disable the corresponding server policy or configure the policy with a different data capture port.

To use this command, your administrator account’s access control profile must have at least r permission to the prof_admin area. For details, see Permissions.

Syntax

diagnose network sniffer [{any | "<interface_name>"} [{none | "<filter_str>"} [{1 | 2 | 3} [<packets_int>]]]]

Variable Description Default

{any | "<interface_name>"}

Enter the name of a network interface whose packets you want to capture, such as port1, or type any to capture packets on all network interfaces.

If you omit this and the following parameters for the command, the command captures all packets on all network interfaces.

No default.

{none | "<filter_str>"}

Enter either none to capture all packets, or type a filter that specifies which protocols and port numbers that you do or do not want to capture, such as "tcp port 25".

Filters use tcpdump (http://www.tcpdump.org) syntax:

"[[src|dst] host {<host1_fqdn> | <host1_ipv4>}] [and|or] [[src|dst] host {<host2_fqdn> | <host2_ipv4>}] [and|or] [[arp|ip|gre|esp|udp|tcp] port <port1_int>] [and|or] [[arp|ip|gre|esp|udp|tcp] port <port2_int>]"

To display only the traffic between two hosts, specify the IP addresses of both hosts. To display only forward or reply packets, indicate which host is the source, and which is the destination.

For example, to display UDP port 1812 traffic between 1.example.com and either 2.example.com or 3.example.com, you would enter:

"udp and port 1812 and src host 1.example.com and dst \( 2.example.com or 2.example.com \)"

none

{1 | 2 | 3}

Type one of the following integers indicating the depth of packet headers and payloads to capture:

  • 1—Display the packet capture timestamp, plus basic fields of the IP header: the source IP address, the destination IP address, protocol name, and destination port number.

    Does not display all fields of the IP header; it omits:

    • IP version number bits
    • Internet header length (ihl)
    • type of service/differentiated services code point (tos)
    • explicit congestion notification
    • total packet or fragment length
    • packet ID
    • IP header checksum
    • time to live (TTL)
    • fragment offset
    • options bits
  • 2—All of the output from 1, plus the packet payload in both hexadecimal and ASCII.
  • 3—All of the output from 2, plus the link layer (Ethernet) header.

For troubleshooting purposes, Fortinet Technical Support may request the most verbose level (3).

1

<packets_int>

Enter the number of packets to capture before stopping.

If you do not specify a number, the command will continue to capture packets until you press Ctrl+C.

Packet capture continues until you press Ctrl + C.

Example

The following example captures three packets of traffic from any port number or protocol and between any source and destination (a filter of none), which passes through the network interface named port1. The capture uses a low level of verbosity (indicated by 1).

Commands that you would type are highlighted in bold; responses from the FortiWeb appliance are not bolded.

FortiWeb# diagnose network sniffer port1 none 1 3

filters=[none]

0.918957 192.168.0.1.36701 -> 192.168.0.2.22: ack 2598697710

0.919024 192.168.0.2.22 -> 192.168.0.1.36701: psh 2598697710 ack 2587945850

0.919061 192.168.0.2.22 -> 192.168.0.1.36701: psh 2598697826 ack 2587945850

If you are familiar with the TCP protocol, you may notice that the packets are from the middle of a TCP connection. Because port 22 is used (highlighted above in bold), which is the standard port number for SSH, the packets might be from an SSH session.

Example

The following example captures packets traffic on TCP port 80 (typically HTTP) between two hosts, 192.168.0.1 and 192.168.0.2. The capture uses a low level of verbosity (indicated by 1). Because the filter does not specify either host as the source or destination in the IP header (src or dst), the sniffer captures both forward and reply traffic.

Commands that you would type are highlighted in bold; responses from the FortiWeb appliance are not bolded.

FortiWeb# diagnose network sniffer packet port1 'host 192.168.0.2 or host 192.168.0.1 and tcp port 80' 1

A specific number of packets to capture is not specified. As a result, the packet capture continues until the administrator presses Ctrl+C. The sniffer then confirms that five packets were seen by that network interface. Below is a sample output.

192.168.0.2.3625 -> 192.168.0.1.80: syn 2057246590

192.168.0.1.80 -> 192.168.0.2.3625: syn 3291168205 ack 2057246591

192.168.0.2.3625 -> 192.168.0.1.80: ack 3291168206

192.168.0.2.3625 -> 192.168.0.1.80: psh 2057246591 ack 3291168206

192.168.0.1.80 -> 192.168.0.2.3625: ack 2057247265

5 packets received by filter

0 packets dropped by kernel

Example

The following example captures TCP port 443 (typically HTTPS) traffic occurring through port1, regardless of its source or destination IP address. The capture uses a high level of verbosity (indicated by 3).

The number of packets to capture is not specified, so the packet capture continues until the administrator presses Ctrl+C. The sniffer then states how many packets were seen by that network interface.

Verbose output can be very long. As a result, output shown below is truncated after only one packet.

Commands that you would type are highlighted in bold; responses from the FortiWeb appliance are not bolded.

FortiWeb# diagnose network sniffer packet port1 'tcp port 443' 3

interfaces=[port1]

filters=[tcp port 443]

10.651905 192.168.0.1.50242 -> 192.168.0.2.443: syn 761714898

0x0000 0009 0f09 0001 0009 0f89 2914 0800 4500 ..........)...E.

0x0010 003c 73d1 4000 4006 3bc6 d157 fede ac16 .<s.@.@.;..W....

0x0020 0ed8 c442 01bb 2d66 d8d2 0000 0000 a002 ...B..-f........

0x0030 16d0 4f72 0000 0204 05b4 0402 080a 03ab ..Or............

Instead of reading packet capture output directly in your CLI display, you usually should save the output to a plain text file using your CLI client. Saving the output provides several advantages. Packets can arrive more rapidly than you may be able to read them in the buffer of your CLI display, and many protocols transfer data using encodings other than US-ASCII. It is often, but not always, preferable to analyze the output by loading it into in a network protocol analyzer application such as Wireshark (http://www.wireshark.org/).

For example, you could use PuTTY or Microsoft HyperTerminal to save the sniffer output to a file. Methods may vary. See the documentation for your CLI client.

Requirements
To view packet capture output using PuTTY and Wireshark

On your management computer, start PuTTY.

Use PuTTY to connect to the FortiWeb appliance using either a local console, SSH, or Telnet connection. For details, see Connecting to the CLI.

Type the packet capture command, such as:

diag network sniffer packet port1 'tcp port 443' 3 100

but do not press Enter yet.

In the upper left corner of the window, click the PuTTY icon to open its drop-down menu, then select Change Settings.

In the Category tree on the left, go to Session > Logging.

Select Printable output.

In Log file name, click the Browse button, then choose a directory path and file name such as C:\Users\MyAccount\packet_capture.txt to save the packet capture to a plain text file. You do not need to save it with the .log file extension.

Click Apply.

Press Enter to send the CLI command to the FortiMail appliance, beginning packet capture.

If you have not specified a number of packets to capture, when you have captured all packets that you want to analyze, press Ctrl + C to stop the capture.

Close the PuTTY window.

Open the packet capture file using a plain text editor such as Notepad.

Delete the first and last lines, which look like this:

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 6/12/2020.07.25 11:34:40 =~=~=~=~=~=~=~=~=~=~=~=

FortiWeb-2000 #


These lines are a PuTTY timestamp and a command prompt, which are not part of the packet capture. If you do not delete them, they could interfere with the script in the next step.

Convert the plain text file to a format recognizable by your network protocol analyzer application.

You can convert the plain text file to a format recognizable by Wireshark (.pcap) using the fgt2eth.pl Perl script. To download fgt2eth.pl, see the Fortinet Knowledge Base article "Using the FortiOS built-in packet sniffer:"

http://kb.fortinet.com/kb/documentLink.do?externalId=11186

The fgt2eth.pl script is provided as-is, without any implied warranty or technical support, and requires that you first install a Perl module compatible with your operating system.

To use fgt2eth.pl, open a command prompt, then enter a command such as the following:

fgt2eth.pl -in packet_capture.txt -out packet_capture.pcap

where:

  • fgt2eth.pl is the name of the conversion script; include the path relative to the current directory, which is indicated by the command prompt
  • packet_capture.txt is the name of the packet capture’s output file; include the directory path relative to your current directory
  • packet_capture.pcap is the name of the conversion script’s output file; include the directory path relative to your current directory where you want the converted output to be saved
Methods to open a command prompt vary by operating system.
On Windows XP, go to Start > Run and enter cmd.
On Windows 7, click the Start (Windows logo) menu to open it, then enter cmd.

Open the converted file in your network protocol analyzer application. For further instructions, see the documentation for that application.