Technical Tip: Sniffer capture of network range and boolean expressions and, or, not

It is sometimes necessary to sniffer traffic of entire network range on FortiGate.
It is maybe necessary to add multiple ports in OR expression or negate a specific host.

Note.

It is catching hosts of the whole network range 10.56.240.0/22 and icmp or port 80 or 443 for the network range.

Fortigate # diagnose sniffer packet any 'net 10.56.240.0/22 and (icmp or port (80 or 443))' 4 20
Using Original Sniffing Mode
interfaces=[any]
filters=[net 10.56.240.0/22 and (icmp or port (80 or 443))]
1.227035 port1 in 192.168.91.15.55366 -> 10.56.241.63.80: ack 1236888472
1.227066 port1 in 192.168.91.15.55381 -> 10.56.241.63.80: ack 1356479631
1.228958 port1 out 10.56.241.63.80 -> 192.168.91.15.55382: fin 2291724501 ack 378001807
1.229323 port1 in 192.168.91.15.55382 -> 10.56.241.63.80: ack 2291724502
1.491197 port1 in 192.168.91.15.55406 -> 10.56.241.63.443: syn 4174361748
1.585394 port1 in 192.168.91.15 -> 10.56.241.63: icmp: echo request
1.585444 port1 out 10.56.241.63 -> 192.168.91.15: icmp: echo reply
1.773576 port1 out 10.56.241.63.80 -> 192.168.91.15.54441: psh 937313369 ack 1795059008
1.773822 port1 out 10.56.241.63.80 -> 192.168.91.15.54441: psh 937313462 ack 1795059008
1.773992 port1 out 10.56.241.63.80 -> 192.168.91.15.54441: psh 937313539 ack 1795059008
1.774094 port1 in 192.168.91.15.54441 -> 10.56.241.63.80: ack 937313539

Note.

In below example, it is catching hosts of the whole network range 10.56.240.0/22 and denying a specific host.

Fortigate# diagnose sniffer packet any 'net 10.56.240.0/22 and not host 192.168.91.15 and (icmp or port (80 or 443))' 4 20
Using Original Sniffing Mode
interfaces=[any]
filters=[net 10.56.240.0/22 and not host 192.168.91.15 and (icmp or port (80 or 443))]

29.548648 port1 in 10.56.240.113 -> 10.56.241.63: icmp: echo request
29.548722 port1 out 10.56.241.63 -> 10.56.240.113: icmp: echo reply