Technical Tip: How to customize Notepad++ to automate SnifTran processing of sniffed traces

SnifTran and Wireshark integration in Notepad++. Even if the GUI of FortiGate now allows creating packet capture, most people prefer to use CLI 'diagnose snif packet …' with option '6' in a console window or using an SSH connection.

There are several benefits to it:

• It works with sniff traces of any FortiOS version.
• It may be the only option when the GUI is not available.
• Filters can be much more accurate/precise compared to the predefined ones in the GUI.
• It creates a text format that can be filed and downloaded for remote analysis.

Example of a generated text file using CLI :

diagnose snif packet any "port 443" 6 

The drawback is that the packet sniffer generates a text file (for instance console-out-CLI-Console.txt) and not a PCAP file (like the GUI does directly).

As it is a text file, it is easy to open directly in Notepad++.

By using fgt2eth.exe or a better conversion tool like SnifTran, this file can be converted into a PCAP file format and opened in Wireshark… but with several manual actions.

The purpose of this article is to customize Notepad++ for automation to:

• To convert current displayed file and generate a PCAP format file
• To open the generated PCAP file with Wireshark all from Notepad++.

Install the SnifTran and Wireshark software and write down the paths to the executable files:

• C:\tools\sniftran.exe.
• C:\Program Files\Wireshark\wireshark.exe …or check they appear in the $PATH environment variable.

The idea would be to call the following equivalent command on the displayed file, here represented by the variable $(FULL_CURRENT_PATH) :

<path to the sniftran>\sniftran.exe --in "$(FULL_CURRENT_PATH)" 
cmd /c start "C:\Program Files\Wireshark\Wireshark.exe" "$(FULL_CURRENT_PATH).pcapng"

Note:

2022+ versions of SnifTran overwrite by default the output file. With previous versions, use option '--overwrite'.
 

This can be implemented with Notepad++ in two ways:

• using the NppExec plugin to convert the captured text file opened in Notepad++  and then open the result in Wireshark.

See how-to tutorials on NppExec exploring that option: Using Notepad++ shortcuts in two steps: first SnifTran this file; then start Wireshark on the resulting file.

Focusing on the second option, here is how to customize Notepad++ shortcuts:

1. Edit Notepad++ Shortcut config file located in the following user directory as usual C:\Users\fortinet\AppData\Roaming\Notepad++\.
   
   
2. Add lines in Shortcuts.xml before restarting Notepad++ to take these new shortcuts into account:

According to this example current paths, the result is:

<Command name="Sniftran on file" Ctrl="yes" Alt="yes" Shift="yes" Key="83" >c:\tools\sniftran.exe --in &quot;$(FULL_CURRENT_PATH)&quot;</Command>
<Command name="Wireshark on result" Ctrl="yes" Alt="yes" Shift="yes" Key="84" >wireshark &quot;$(FULL_CURRENT_PATH)&quot;.pcapng</Command>

Note:

By default, SnifTran will produce an output file with the same name as the input file + the suffix '.pcapng'.

When Notepad++ is restarted, it will then display new options in the 'Run' menu:

When displaying the capture text file, select Run -> Sniftran on file, wait, then select Run -> Wireshark on result. Wireshark will pop up and display the pcapng file.

Related article:
Technical Tip: How to customize Wireshark to automate sniftran processing of sniffed traces