Technical Tip: How to capture ARP traffic using Packet Capture on FortiOS GUI and CLI

Option 1: Capturing 'ARP' traffic using the GUI:

1. Access the Packet Capture Section:

Go to Network -> Packet Capture or diagnostics in the FortiGate GUI.

2. Add a Packet Capture Filter:

Select 'Add' to create a new packet capture filter.

3. Configure the Filter:

• Interface: Select the interface from the drop-down to capture traffic.
• Max Packets to Save: Enter the number of packets to be captured.
• Enable Filters: Check this option to specify filter fields.
• Enable the 'Include non-IP packets' radio button.
• Start capture and download the PCAP file.
• Filter out ARP packets using the screenshots given below.

Option 2: Capturing 'ARP' traffic using the CLI in two different ways:

With the ARP keyword:

diagnose sniffer packet portx 'arp' 4 0 l  <----- Where x is the port on which 'ARP' traffic needs to be captured.

diagnose sniffer packet any 'arp' 4 0 l   <---- To check ARP traffic for any interface.

With the Ethernet protocol option:

diagnose sniffer packet portx 'ether proto 0x0806' 4 0 l  <----- Where x is the port on which 'ARP' traffic needs to be captured.

diagnose sniffer packet any 'ether proto 0x0806' 4 0 l   <---- To check ARP traffic for any interface.