Skip to main content
sfrati
Staff
sfrati
Staff
January 29, 2026

Technical Tip: How to sniff traffic on FortiClient EMS and send the resulting pcap file on a remote server for analysis

  • January 29, 2026
  • 0 replies
  • 209 views
Description

This article describes how to sniff network traffic on the interfaces of FortiClient EMS v7.4.5 (Linux VM).

This is intended for immediate troubleshooting (to confirm traffic requests are reaching the FortiClient EMS device and if the device responds correctly) or to create a local .pcap file for further analysis.
Scope FortiClient EMS on Linux.
Solution

In this scenario, the administrator intends to check if SNMP queries are reaching FortiClient EMS.

 

First, connect to the SSH console of the EMS:


ems-1-cli.png

 

Next, check the FortiClient EMS network configuration (interface name, IP address, and gateway) using the following general-purpose command:

 

ems@fcems-server $> system get info

 

ems2-getinfo.png

 

Start the snmpwalk or MIB browser on the workstation to SNMP poll (using UDP on port 161) the FortiClient EMS Server on its appropriate interface (e.g., IP address of interface ens6).

 ems3-mibbrowser.png

 

Start capturing network traffic (sniff) on FortiClient EMS on interface ens6 for UDP port 161 for immediate troubleshooting:

 

ems@fcems-server $> execute pcap --if ens6 --filter "port 161"

 

Note: The filter syntax is following rules of TCPDUMP reference: PCAP filter 7.

 

ems4-snif.jpg

 

The administrator can also create a file for later transfer and analysis on Wireshark on a workstation or server:

 

ems@fcems-server $> execute pcap --out pcaptest.pcapexecute pcap --out pcaptest.pcap


The resulting output pcap file is stored in the chrooted /exchange folder:

 

ems@fcems-server $> execute ls /exchange: total 25460 -rw-r--r-- 1 tcpdump tcpdump 26069774 Jan 9 17:58 pcaptest.pcap  /var/lib/redis: total 8 -rw-rw---- 1 redis redis 4271 Jan 9 17:57 dump.rdb


The administrator can now send the file to a remote server using SFTP:

 

ems@fcems-server $> execute sftp --remote.ip 10.5.1.136.206 --remote.user sftp_client --local.file /exchange/pcaptest.pcap --remote.file /uploads/pcaptest.pcap --remote.password fortinet Connectivity test using service 'sftp' to remote host 10.5.136.206 with user sftp_client for writing file /uploads/pcaptest.pcap passed !  File /exchange/pcaptest.pcap successfully copied to 10.5.136.206:/uploads/pcaptest.pcap

 

Once done, the administrator can remove generated files one by one in /home/ems/exchange folder:

 

ems@fcems-server $> execute ls /exchange total 25532 -rw-r--r-- 1 tcpdump tcpdump 26069774 Jan 9 17:58 pcaptest.pcap -rw-r--r-- 1 tcpdump tcpdump 71950 Jan 9 18:34 pcaptest2.pcap  ems@fcems-server $> execute clear exchange pcaptest.pcap A file(s) to remove must be provided using either --filter or --all (not both). exit error: [exit status 1], exitStatus: 1  ems@fcems-server $> execute clear exchange --filter pcaptest.pcap


The file was removed, leaving space on the disk for new captures:

 

ems@fcems-server $> execute ls /var/lib/redis: total 8 -rw-rw---- 1 redis redis 4524 Jan 9 18:37 dump.rdb  /exchange: total 72 -rw-r--r-- 1 tcpdump tcpdump 71950 Jan 9 18:34 pcaptest2.pcap

 

Related articles:
    Terms & ConditionsAccessibility statement