Fortinet black logo

CLI reference

Home FortiNDR 7.2.0 CLI reference
7.2.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

diagnose sniffer dump

diagnose sniffer dump

Use this comand to dump the data flow records of the network port to a specific TFTP server.

Ensure the remote TFTP server has the file create permission.

Syntax

diagnose sniffer dump <tftp IP> <local sniffer file name> <remote tftp server file name>

To dump files from FortiNDR with the CLI:
  1. Specifiy the options and filters for file dumping with the following command:

    diagnose sniffer packet

    If traffic dumping is running in the background, you can stop or view the progress with the stop and status variables. For more information, see diagnose sniffer packet.

  2. Get the PCAP’s file name with the following command.

    diagnose sniffer file

    You will need the file name to delete all captured PCAP files. For more information, see diagnose sniffer file.

  3. Transfer the previous dumped file to a TFTP server for further analysis.

    diagnose sniffer dump

Example:

FortiNDR-3500F # diagnose sniffer packet port1 "none" 1 20000 a chi.pcap 1 background

System Time: 2022-11-17 17:40:24 PST (Uptime: 14d 20h 22m)

interfaces=[port1]

filters=[none]

sniffer dump into chi.pcap (500M size limit)

last about 60 second

37 packets received by filter

0 packets dropped by kernel

FortiNDR-3500F # diagnose sniffer file display

System Time: 2022-11-17 17:40:40 PST (Uptime: 14d 20h 22m)

abc.pcap_2022-10-13-16-34-34.pcap 278 Thu Oct 13 16:34:34 2022

chi.pcap_2022-11-17-17-40-24.pcap 24 Thu Nov 17 17:40:24 2022

chi.pcap_2022-10-13-16-29-37.pcap 57208 Thu Oct 13 16:29:37 2022

chi.pcap_2022-10-13-16-27-06.pcap 98162098 Thu Oct 13 16:27:06 2022

FortiNDR-3500F # diagnose sniffer dump 172.19.235.204 chi.pcap_2022-11-17-17-40-24.pcap new.pcap

System Time: 2022-11-17 17:41:33 PST (Uptime: 14d 20h 23m)

Connect to tftp server 172.19.235.204 ...

Please wait...

#

Send sniffer file to tftp server OK.

Previous
Next

diagnose sniffer dump

Use this comand to dump the data flow records of the network port to a specific TFTP server.

Ensure the remote TFTP server has the file create permission.

Syntax

diagnose sniffer dump <tftp IP> <local sniffer file name> <remote tftp server file name>

To dump files from FortiNDR with the CLI:
  1. Specifiy the options and filters for file dumping with the following command:

    diagnose sniffer packet

    If traffic dumping is running in the background, you can stop or view the progress with the stop and status variables. For more information, see diagnose sniffer packet.

  2. Get the PCAP’s file name with the following command.

    diagnose sniffer file

    You will need the file name to delete all captured PCAP files. For more information, see diagnose sniffer file.

  3. Transfer the previous dumped file to a TFTP server for further analysis.

    diagnose sniffer dump

Example:

FortiNDR-3500F # diagnose sniffer packet port1 "none" 1 20000 a chi.pcap 1 background

System Time: 2022-11-17 17:40:24 PST (Uptime: 14d 20h 22m)

interfaces=[port1]

filters=[none]

sniffer dump into chi.pcap (500M size limit)

last about 60 second

37 packets received by filter

0 packets dropped by kernel

FortiNDR-3500F # diagnose sniffer file display

System Time: 2022-11-17 17:40:40 PST (Uptime: 14d 20h 22m)

abc.pcap_2022-10-13-16-34-34.pcap 278 Thu Oct 13 16:34:34 2022

chi.pcap_2022-11-17-17-40-24.pcap 24 Thu Nov 17 17:40:24 2022

chi.pcap_2022-10-13-16-29-37.pcap 57208 Thu Oct 13 16:29:37 2022

chi.pcap_2022-10-13-16-27-06.pcap 98162098 Thu Oct 13 16:27:06 2022

FortiNDR-3500F # diagnose sniffer dump 172.19.235.204 chi.pcap_2022-11-17-17-40-24.pcap new.pcap

System Time: 2022-11-17 17:41:33 PST (Uptime: 14d 20h 23m)

Connect to tftp server 172.19.235.204 ...

Please wait...

#

Send sniffer file to tftp server OK.

Previous
Next