Skip to main content
sfrati
Staff
sfrati
Staff
July 17, 2025

Technical Tip: How to customize Wireshark to automate sniftran processing of sniffed traces

  • July 17, 2025
  • 0 replies
  • 758 views
Description

This article presents SnifTran is a free program to convert plain text traffic captured from FortiGate issued from 'diag sniffer packet'followed by the parameter 6 (full packets with interface and data), and describes the customization of Wireshark.

 

The resulting conversion is a new file following PCAPng format, directly usable in Wireshark for a graphical display.
Despite Sniftran is a very stable and valuable tool available here (https://github.com/ondrejholecek/sniftran/), it is not graphical nor automated by default.

Here is a detailed how to get even more benefits from this tool by customizing :

  • Wireshark: to display more columns, including the incoming or outgoing interface.
  • Notepad++: to trigger SnifTran on the current open file and launch Wireshark on the resulting .pcapng file.
Scope FortiGate.
Solution

Customization of Wireshark to display Snifftran additional information:
Sniftran will include the interface name and traffic direction (in or out) for each frame in the new hidden field 'Comments'.
The Comments' field content will look like:

 

"(out) port33" or "(in) port34"

 

Note:

if, for instance, the outgoing interface is a LAG made of several aggregated ports, it will show the physical port from which the frame really physically exits the device.


The immediate benefits of Wireshark: to display/filter only packets on the interface port3 in both directions, for instance, use the following Wireshark filter:

 

frame.comment contains "port3"
 

snif1.png

 

Adding a new displayed column based on the 'frame.comment' field:
As displayed in the previous screenshot, Wireshark can be customized to add a new custom column (following this tutorial: https://www.youtube.com/watch?v=XpUNXDkfkQg) to display this new field for each frame.


In Wireshark menu under Preferences -> Appearance -> Columns, create a new column 'IfaceSnifTran' in this case, and 'right-click' the column to display the frame comment as shown below:

 
snif2.png

 

 

The result is the following: see the contents of column 'IfaceSnitTran':

 

snif3.png

 

The related article describes the customization of Notepad++ to trigger SnifTran on the currently opened file and launch Wireshark on the resulting .pcapng file using this customization: Technical Tip: How to customize Notepad++ to automate SnifTran processing of sniffed traces
      Terms & ConditionsAccessibility statement