Skip to main content
acvaldez
Staff
acvaldez
Staff
February 10, 2020

Technical Tip: How to import 'diagnose sniffer packet' data to WireShark

  • February 10, 2020
  • 0 replies
  • 61778 views

Description


This article describes how the output of the 'diagnose sniff packet' command can be imported into Wireshark.

 

Scope

 

FortiGate.

Solution


In this example, the test unit is continuously pinging 8.8.8.8.

To check what is happening on the packet using Wireshark, follow these steps (Windows):

 

  1. Install Wireshark. This is required even if the device performing the conversion will not be used to review the result. The version of fgt2eth.exe attached checks for text2pcap using the path 'C:\Program Files\Wireshark ext2pcap.exe'.

  2. Download fgt2eth.exe.12.2014.zip file attached on this article or download Sniftran from Github repository.

  3. Unzip and save fgt2eth.exe (or sniftran.exe) in a specific folder.

  4. Access the unit using Putty or any other SSH application.

  5. Ensure Putty is set to log all printable output to a file. Save the session where fgteth.exe is saved.

  6. Run the following command (make sure to use the value 6 0 on the sniff):

diagnose sniff packet any ‘host 8.8.8.8 and icmp’ 6 0


kb_17175_1.png


  1. The test unit starts pinging 8.8.8.8.

kb_17175_2.png


The FortiGate CLI packet sniffer started populating captures.

kb_17175_3.png


When finished, use Ctrl-C to stop the sniffer.

  1. Open the command prompt on the Windows machine and navigate to the directory where fgt2eth.exe (or sniftran.exe) and the SSH log are saved. To move between folders, use 'cd', and to verify the list of files in the directory, use 'dir'.

  2. Run the tool in the command prompt.

fgt2eth.exe -in <ssh_log_name.txt> -out <pcap_name.pcap>
sniftran.exe -in <ssh_log_name.txt> -out <pcap_name.pcap>


kb_17175_4.png


  1. Go to the folder and open the PCAP using Wireshark.

    kb_17175_5.png


    Stephen_G_0-1715707877239.png

 

Sniftran feature:

  • Automatically adds the interface name and traffic direction to the PCAPng comments section.

    05a18bf8.png


  • Ability to select only some interfaces to include from the capture (--include or --exclude parameters).

  • Ability to decode captures on p2p (PPP) interfaces.

  • Ability to decode capture taken with FortiGate sniffer option '5'.

Related articles:

Troubleshooting Tip: Packet capture (CLI sniffer) tips and best practices

Troubleshooting Tip: Using the FortiOS built-in packet sniffer for capturing packets
Technical Tip: How to import 'diagnose sniffer packet' data to WireShark - Ethereal application

 

Third-Party Links:

Wireshark Download 

Github Sniftran repository 

    Terms & ConditionsAccessibility statement