Technical Tip: Converting FortiAuthenticator tcpdump to Wireshark pcap files
| Description | This article describes how to convert a tcpdump file captured on FortiAuthenticator to a readable format for Wireshark. |
| Scope | FortiAuthenticator. |
| Solution | This method is one option to capture packets on FortiAuthenticator if GUI access is not available. Note that alternatively, 'tcpdumpfile' will create a PCAP file that can be downloaded with https://fac-ip/debug/pcap-dump after it has been stopped with CTRL-C.
First, it is necessary to have Python software installed in the workstation where the conversion is performed.
The attached script is used for the first stage of conversion.
fac_tcpdump2text2pcap_cli.py
Python 3.9 is used in this example.
Next, capture the file using the following command with the filters:
exec tcpdump -xxs 0
Run the script to convert the captured file to a supported format for later conversion:
python fac_tcpdump2text2pcap_cli.py fac_capture.txt
A new file will be generated: fac_capture.txt.new.
Finally, convert the new file using the text2pcap file attached (for Wireshark):
text2pcap fac_capture.txt.new fac_sniff.pcap
The converted file fac_sniff.pcap can then be used with Wireshark.
 |