Technical Tip: Explanation of FortiGate capture shows different TTL Value for same packet

If Wireshark capture is collected on FortiGate with an interface, and the capture shows 2 packets for the same traffic with different TTL values.

An example CLI sniffer command is shown below:

diagnose sniffer packet any 'host 10.2.10.15 and host 10.1.0.10' 6 0 a

The following example capture was taken with the interface set to 'any':

In the above capture, the TTL value can be seen as 127 and 128, which is expected since the interface selected was any.

The packet with TTL 128 is the packet received on the incoming interface, and the packet with TTL 127 is the one sent out from the FortiGate.

The 'no response' for the incoming packet is expected and does not mean a packet drop.

Below is the capture taken with a specific interface for the same traffic:

Related articles: 

• Technical Tip: How to sniff traffic using FortiOS GUI and advanced filters
• Technical Tip: How to run a real-time Wireshark capture on FortiGate