Skip to main content
raksshaya
Staff
raksshaya
Staff
January 29, 2026

Troubleshooting Tip: Packet capture limitations in GUI and extended packet capture using CLI

  • January 29, 2026
  • 0 replies
  • 662 views
Description This article describes the differences between GUI and CLI packet capture on FortiGate, including GUI limitations and the use of CLI for extended packet capture during traffic troubleshooting.
Scope FortiGate.
Solution

FortiGate packet capture behavior differs between the graphical user interface (GUI) and the command-line interface (CLI).
Packets can be captured via GUI, by navigating to: Network -> Diagnostics -> New Packet Capture.

 

Steps:

  1. Select the required interface.

  2. Configure capture filters as required.

  3. Select Start capture to begin immediately or Save settings to use later.

 

GUI limitations:

There are limits on the number of simultaneous packet captures and the maximum number of packets per capture, which are based on system specifications.

From v7.4.4+, to determine the maximum number of packet captures supported per device, utilize the Maximum Values Table and look for the parameter firewall.on-demand-sniffer.

 

Packet capture initiated from the CLI is not subject to GUI packet count restrictions, and the same is displayed in the GUI as well.

 

Screenshot_30-1-2026_131654_10.5.146.52.jpeg

 

Note: The built-in GUI CLI must not be used for high-volume packet capture, as it cannot handle large volumes of traffic output.

 

  1. Take access to FortiGate via SSH. Large packet capture through the CLI requires SSH access using PuTTY or a similar SSH client. On how to connect to FortiGate using SSH, refer to this article: Technical Tip: How to connect to FortiGate using SSH.
  2. Before starting packet capture, logging must be enabled in PuTTY. 

   

Steps:

  • Open PuTTY.
  • Navigate to Session → Logging.
  • Select Printable output.
  • Enable Always append to the end of the log file.
  • Specify the log file location and other parameters.

putty_001.png

 

Reference: Technical Tip: How to create a log file of a session using PuTTY.

 

  1. The following command can be used to run a packet capture:

     

diagnose sniffer packet <interface> "host <IP>" 6 <count> l

 

  • Replace <Interface> with the specific interface name if required or any.
  • Replace <IP> with the preferred IP address.
  • Replace <count> with the desired number of packets (use 0 for unlimited capture). 
  • Verbosity 6 is generally used for detailed troubleshooting because it shows the Ethernet header (MAC addresses), the IP header, payload data, and confirms which interface the packet is ingressing or egressing.
  • When finished, to stop the capture, use Ctrl+C. 
 
  1. Once the log file is gathered, convert the file to a pcap file so it can be reviewed via Wireshark.
    Technical Tip: How to import 'diagnose sniffer packet' data to WireShark

 

Related article: 

Troubleshooting Tip: Using the FortiOS built-in packet sniffer for capturing packets 
    Terms & ConditionsAccessibility statement