Skip to main content
Ted
Staff
Ted
Staff
March 20, 2026

Technical Tip: How to sniffer GENEVE traffic filtered by encapsulated header fields

  • March 20, 2026
  • 0 replies
  • 250 views
Description This article describes how to use the FortiGate built‑in packet sniffer to capture GENEVE‑encapsulated traffic (UDP/6081) filtered by fields in the inner packet header, such as inner source or destination IP. This is especially useful in environments such as AWS Gateway Load Balancer (GWLB), where packets arrive encapsulated within GENEVE tunnels. By default, packet captures on a FortiGate show only the outer Ethernet, IP, and UDP headers, so BPF byte‑offset filters using ether[] are required to match values inside the GENEVE payload.
Scope FortiGate.
Solution

GENEVE encapsulates original frames for transport between tunnel endpoints. The general structure of a GENEVE packet is:

 

gwlb.png


[Outer Ethernet (14 bytes)]

⌞[Outer IP (20 bytes)]

⌞[UDP 6081 (8 bytes)]

⌞[GENEVE Header (40 bytes)]

⌞[Inner IP (20 bytes)]

⌞[Inner Payload]

 

To filter based on the encapsulated packet, the sniffer must examine the raw packet buffer at specific byte offsets, using the expressions:

  • ether[<offset>:<length>]
  • ip[<offset>:<length>]
  • udp[<offset>:<length>]

 

The offsets, 96 and 100, respectively, point to the inner IP header’s source/destination IP fields. 

  1. Source IP → 96 bytes (= 14 + 20 + 8 + 40 + 12).
  2. Destination IP → 100 bytes (= 14 + 20 + 8 + 40 + 16).

 

For example, filtering for inner source IP = 172.31.1.22 (0xac1f0116):

 

diagnose sniffer packet any "udp port 6081 and (ether[96:4] == 0xac1f0116)" 6 0 l

 

However, this offset only applies when the encapsulation uses the following structure:

  • Standard outer Ethernet header → 14 bytes.
  • No outer IP options → 20-byte outer IP header.
  • GENEVE header (with GENEVE options) → 40 bytes / Minimum GENEVE header (no options) → 8 bytes.
  • Standard inner IP header → 20 bytes.

 

Furthermore, the sniffer expressions to filter packets can be used as follows, considering bidirectional traffic flow.

 

diagnose sniffer packet any 'port 6081 and ((ether[96:4]=0xac1f0116) or (ether[100:4]=0xac1f0116))' 6 0 l

diagnose sniffer packet any 'port 6081 and ((ip[80:4]=0xac1f0116) or (ip[84:4]=0xac1f0116))' 6 0 l

diagnose sniffer packet any 'port 6081 and ((udp[60:4]=0xac1f0116) or (udp[64:4]=0xac1f0116))' 6 0 l

 

Example:

 

FGVM16TM00000000 # diagnose sniffer packet any 'port 6081 and ((ether[96:4]=0xac1f0116) or (ether[100:4]=0xac1f0116))' 6 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[port 6081 and ((ether[96:4]=0xac1f0116) or (ether[100:4]=0xac1f0116))]
2026-03-18 23:52:29.378403 port1 in 172.31.2.126.61907 -> 172.31.2.253.6081: udp 100
0x0000 0000 0000 0001 020e 1f8f df59 0800 4500 ...........Y..E.
0x0010 0080 0000 0000 ff11 5db3 ac1f 027e ac1f ........]....~..
0x0020 02fd f1d3 17c1 006c 6c5c 0800 0800 0000 .......ll\......
0x0030 0000 0108 0102 ace1 efd3 4758 d96f 0108 ..........GX.o..
0x0040 0202 0000 0000 0000 0000 0108 0301 9e5e ...............^
0x0050 9048 4500 003c 6b74 4000 3f06 f69f ac1f .HE..<kt@.?.....
0x0060 0116 8efb 9d77 9dde 01bb f45a f261 0000 .....w.....Z.a..
0x0070 0000 a002 f507 2904 0000 0204 20ad 0402 ......).........
0x0080 080a 4edb 6021 0000 0000 0103 0307 ..N.`!........

2026-03-18 23:52:29.378455 port1 out 172.31.2.253.61907 -> 172.31.2.126.6081: udp 100
0x0000 0000 0000 0000 0271 b697 3a15 0800 4500 .......q..:...E.
0x0010 0080 40ed 0000 4011 dbc6 ac1f 02fd ac1f ..@...@.........
0x0020 027e f1d3 17c1 006c 6c5c 0800 0800 0000 .~.....ll\......
0x0030 0000 0108 0102 ace1 efd3 4758 d96f 0108 ..........GX.o..
0x0040 0202 0000 0000 0000 0000 0108 0301 9e5e ...............^
0x0050 9048 4500 003c 6b74 4000 3e06 f79f ac1f .HE..<kt@.>.....
0x0060 0116 8efb 9d77 9dde 01bb f45a f261 0000 .....w.....Z.a..
0x0070 0000 a002 f507 2904 0000 0204 20ad 0402 ......).........
0x0080 080a 4edb 6021 0000 0000 0103 0307 ..N.`!........

2026-03-18 23:52:29.397286 port1 in 172.31.2.126.61907 -> 172.31.2.253.6081: udp 100
0x0000 0000 0000 0001 020e 1f8f df59 0800 4500 ...........Y..E.
0x0010 0080 0000 0000 ff11 5db3 ac1f 027e ac1f ........]....~..
0x0020 02fd f1d3 17c1 006c 6c5c 0800 0800 0000 .......ll\......
0x0030 0000 0108 0102 ace1 efd3 4758 d96f 0108 ..........GX.o..
0x0040 0202 0000 0000 0000 0000 0108 0301 9e5e ...............^
0x0050 9048 4500 003c 0000 4000 6e06 3314 8efb .HE..<..@.n.3...
0x0060 9d77 ac1f 0116 01bb 9dde b46b 6a07 f45a .w.........kj..Z
0x0070 f262 a012 ffff 8eb6 0000 0204 0584 0402 .b..............
0x0080 080a 83d1 0828 4edb 6021 0103 0308 .....(N.`!....

2026-03-18 23:52:29.397318 port1 out 172.31.2.253.61907 -> 172.31.2.126.6081: udp 100
0x0000 0000 0000 0000 0271 b697 3a15 0800 4500 .......q..:...E.
0x0010 0080 40ee 0000 4011 dbc5 ac1f 02fd ac1f ..@...@.........
0x0020 027e f1d3 17c1 006c 6c5c 0800 0800 0000 .~.....ll\......
0x0030 0000 0108 0102 ace1 efd3 4758 d96f 0108 ..........GX.o..
0x0040 0202 0000 0000 0000 0000 0108 0301 9e5e ...............^
0x0050 9048 4500 003c 0000 4000 6d06 3414 8efb .HE..<..@.m.4...
0x0060 9d77 ac1f 0116 01bb 9dde b46b 6a07 f45a .w.........kj..Z
0x0070 f262 a012 ffff 8eb6 0000 0204 0584 0402 .b..............
0x0080 080a 83d1 0828 4edb 6021 0103 0308 .....(N.`!....
    Terms & ConditionsAccessibility statement