Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

diagnose sniffer packet

Use this command to perform a packet trace on one or more network interfaces.

Packet capture, also known as sniffing or packet analysis, records some or all of the packets seen by a network interface (that is, the network interface is used in promiscuous mode). By recording packets, you can trace connection states to the exact point at which they fail, which may help you to diagnose some types of problems that are otherwise difficult to detect.

FortiADC appliances have a built-in sniffer. Packet capture on FortiADC appliances is similar to that of FortiGate appliances. Packet capture output appears on your CLI display until you stop it by pressing Ctrl+C, or until it reaches the number of packets that you have specified to capture.

Packet capture can be very resource intensive. To minimize the performance impact on your FortiADC appliance, use packet capture only during periods of minimal traffic, with a local console CLI connection rather than a Telnet or SSH CLI connection, and be sure to stop the command when you are finished.

For additional information on the packet sniffer utility, see the Fortinet Knowledge Base article Using the FortiOS built-in packet sniffer.

Syntax

diagnose sniffer packet [{any | <interface_name>} [{none | '<filter_str>'} [{1 | 2 | 3} [<packets_int>]]]]

{any | <interface_name>}

Type the name of a network interface whose packets you want to capture, such as port1, or type any to capture packets on all network interfaces.

If you omit this and the following parameters for the command, the command captures all packets on all network interfaces.

{none | '<filter_str>'}

Type either none to capture all packets, or type a filter that specifies which protocols and port numbers that you do or do not want to capture, such as 'tcp port 25'. Surround the filter string in quotes ( ' ).

Filters use tcpdump syntax:

'[[src|dst] host {<host1_fqdn> | <host1_ipv4>}] [and|or] [[src|dst] host {<host2_fqdn> | <host2_ipv4>}] [and|or] [[arp|ip|gre|esp|udp|tcp] port <port1_int>] [and|or] [[arp|ip|gre|esp|udp|tcp] port <port2_int>]'

To display only the traffic between two hosts, specify the IP addresses of both hosts. To display only forward or reply packets, indicate which host is the source, and which is the destination.

For example, to display UDP port 1812 traffic between 1.example.com and either 2.example.com or 3.example.com, you would enter:

'udp and port 1812 and src host 1.example.com and dst \( 2.example.com or 2.example.com \)'

{1 | 2 | 3}

Type one of the following integers indicating the depth of packet headers and payloads to capture:

1 — Display the packet capture timestamp, plus basic fields of the IP header: the source IP address, the destination IP address, protocol name, and destination port number.

Does not display all fields of the IP header; it omits:

  • IP version number bits
  • Internet header length (ihl)
  • type of service/differentiated services code point (tos)
  • explicit congestion notification
  • total packet or fragment length
  • packet ID
  • IP header checksum
  • time to live (TTL)
  • IP flag
  • fragment offset
  • options bits

2 — All of the output from 1, plus the packet payload in both hexadecimal and ASCII.

3 — All of the output from 2, plus the the link layer (Ethernet) header.

For troubleshooting purposes, Fortinet Technical Support may request the most verbose level (3).

<packets_int>

Type the number of packets to capture before stopping.

If you do not specify a number, the command will continue to capture packets until you press Ctrl+C.

Example

The following example captures three packets of traffic from any port number or protocol and between any source and destination (a filter of none), which passes through the network interface named port1. The capture uses a low level of verbosity (indicated by 1).

FortiADC-VM # diagnose sniffer packet port1 none 1 3

interfaces=[port1]

filters=[none]

0.000000 172.30.144.20.53800 -> 172.30.144.100.22: ack 202368347

0.000000 172.30.144.100.22 -> 172.30.144.20.53800: psh 202368415 ack 2508304372

0.000000 172.30.144.100.22 -> 172.30.144.20.53800: psh 202368531 ack 2508304372

 

If you are familiar with the TCP protocol, you might notice that the packets are from the middle of a TCP connection. Because port 22 is used (highlighted above in bold), which is the standard port number for SSH, the packets might be from an SSH session.

Example

The following example captures packets traffic on TCP port 80 (typically HTTP) between two hosts, 192.168.0.1 and 192.168.0.2. The capture uses a low level of verbosity (indicated by 1). Because the filter does not specify either host as the source or destination in the IP header (src or dst), the sniffer captures both forward and reply traffic.

FortiADC# diagnose sniffer packet port1 'host 192.168.0.2 or host 192.168.0.1 and tcp port 80' 1

A specific number of packets to capture is not specified. As a result, the packet capture continues until the administrator presses Ctrl+C. The sniffer then confirms that five packets were seen by that network interface. Below is a sample output.

192.168.0.2.3625 -> 192.168.0.1.80: syn 2057246590

192.168.0.1.80 -> 192.168.0.2.3625: syn 3291168205 ack 2057246591

192.168.0.2.3625 -> 192.168.0.1.80: ack 3291168206

192.168.0.2.3625 -> 192.168.0.1.80: psh 2057246591 ack 3291168206

192.168.0.1.80 -> 192.168.0.2.3625: ack 2057247265

5 packets received by filter

0 packets dropped by kernel

diagnose sniffer packet

Use this command to perform a packet trace on one or more network interfaces.

Packet capture, also known as sniffing or packet analysis, records some or all of the packets seen by a network interface (that is, the network interface is used in promiscuous mode). By recording packets, you can trace connection states to the exact point at which they fail, which may help you to diagnose some types of problems that are otherwise difficult to detect.

FortiADC appliances have a built-in sniffer. Packet capture on FortiADC appliances is similar to that of FortiGate appliances. Packet capture output appears on your CLI display until you stop it by pressing Ctrl+C, or until it reaches the number of packets that you have specified to capture.

Packet capture can be very resource intensive. To minimize the performance impact on your FortiADC appliance, use packet capture only during periods of minimal traffic, with a local console CLI connection rather than a Telnet or SSH CLI connection, and be sure to stop the command when you are finished.

For additional information on the packet sniffer utility, see the Fortinet Knowledge Base article Using the FortiOS built-in packet sniffer.

Syntax

diagnose sniffer packet [{any | <interface_name>} [{none | '<filter_str>'} [{1 | 2 | 3} [<packets_int>]]]]

{any | <interface_name>}

Type the name of a network interface whose packets you want to capture, such as port1, or type any to capture packets on all network interfaces.

If you omit this and the following parameters for the command, the command captures all packets on all network interfaces.

{none | '<filter_str>'}

Type either none to capture all packets, or type a filter that specifies which protocols and port numbers that you do or do not want to capture, such as 'tcp port 25'. Surround the filter string in quotes ( ' ).

Filters use tcpdump syntax:

'[[src|dst] host {<host1_fqdn> | <host1_ipv4>}] [and|or] [[src|dst] host {<host2_fqdn> | <host2_ipv4>}] [and|or] [[arp|ip|gre|esp|udp|tcp] port <port1_int>] [and|or] [[arp|ip|gre|esp|udp|tcp] port <port2_int>]'

To display only the traffic between two hosts, specify the IP addresses of both hosts. To display only forward or reply packets, indicate which host is the source, and which is the destination.

For example, to display UDP port 1812 traffic between 1.example.com and either 2.example.com or 3.example.com, you would enter:

'udp and port 1812 and src host 1.example.com and dst \( 2.example.com or 2.example.com \)'

{1 | 2 | 3}

Type one of the following integers indicating the depth of packet headers and payloads to capture:

1 — Display the packet capture timestamp, plus basic fields of the IP header: the source IP address, the destination IP address, protocol name, and destination port number.

Does not display all fields of the IP header; it omits:

  • IP version number bits
  • Internet header length (ihl)
  • type of service/differentiated services code point (tos)
  • explicit congestion notification
  • total packet or fragment length
  • packet ID
  • IP header checksum
  • time to live (TTL)
  • IP flag
  • fragment offset
  • options bits

2 — All of the output from 1, plus the packet payload in both hexadecimal and ASCII.

3 — All of the output from 2, plus the the link layer (Ethernet) header.

For troubleshooting purposes, Fortinet Technical Support may request the most verbose level (3).

<packets_int>

Type the number of packets to capture before stopping.

If you do not specify a number, the command will continue to capture packets until you press Ctrl+C.

Example

The following example captures three packets of traffic from any port number or protocol and between any source and destination (a filter of none), which passes through the network interface named port1. The capture uses a low level of verbosity (indicated by 1).

FortiADC-VM # diagnose sniffer packet port1 none 1 3

interfaces=[port1]

filters=[none]

0.000000 172.30.144.20.53800 -> 172.30.144.100.22: ack 202368347

0.000000 172.30.144.100.22 -> 172.30.144.20.53800: psh 202368415 ack 2508304372

0.000000 172.30.144.100.22 -> 172.30.144.20.53800: psh 202368531 ack 2508304372

 

If you are familiar with the TCP protocol, you might notice that the packets are from the middle of a TCP connection. Because port 22 is used (highlighted above in bold), which is the standard port number for SSH, the packets might be from an SSH session.

Example

The following example captures packets traffic on TCP port 80 (typically HTTP) between two hosts, 192.168.0.1 and 192.168.0.2. The capture uses a low level of verbosity (indicated by 1). Because the filter does not specify either host as the source or destination in the IP header (src or dst), the sniffer captures both forward and reply traffic.

FortiADC# diagnose sniffer packet port1 'host 192.168.0.2 or host 192.168.0.1 and tcp port 80' 1

A specific number of packets to capture is not specified. As a result, the packet capture continues until the administrator presses Ctrl+C. The sniffer then confirms that five packets were seen by that network interface. Below is a sample output.

192.168.0.2.3625 -> 192.168.0.1.80: syn 2057246590

192.168.0.1.80 -> 192.168.0.2.3625: syn 3291168205 ack 2057246591

192.168.0.2.3625 -> 192.168.0.1.80: ack 3291168206

192.168.0.2.3625 -> 192.168.0.1.80: psh 2057246591 ack 3291168206

192.168.0.1.80 -> 192.168.0.2.3625: ack 2057247265

5 packets received by filter

0 packets dropped by kernel