Troubleshooting Tip: Packet Capture on FortiOS GUI
Description
This article describes how to use the built-in packet capture feature in FortiOS from the GUI interface.
Scope
FortiGate.
Solution
On the v5.6 firmware branch, the unit needs a disk, and logging to the disk has to be enabled.
Since firmware version 6.0.2, this restriction has been removed.
Here is the Step-by-Step guide to capturing packets from the GUI:
- Go to Network -> Diagnostics -> Packet capture (on legacy firmware, Network -> Packet Capture) and create a new filter. On modern firmware, navigate to Network -> Diagnostics -> Packet capture.
- It is possible to use the following URL to access the packet capture page: https://[management-IP]/ng/page/p/firewall/sniffer/
Substitute the management IP with the correct IP to access the FortiGate. - Below is the Packet Capture interface:
The option to capture the packet based on interface and filter by hosts, ports or VLANs will be proposed.
In the example above, 100 packets would be captured based on the selected filters:
IP address 10.205.1.206 and port 80,443 on interface port 3.
If 'Enable Filters' is not selected, all packets on the selected interface will be captured.
Results.
The other view that is available is 'Packet data'. If 'Packet data' is selected, when any of the packets are selected at the top of the window, the raw packet details of the highlighted packet are shown at the bottom of the screen:
The output can be saved as a .pcap file by clicking the 'Save as .pcap' button at the bottom of the output window, and the saved .pcap file can then be viewed using Wireshark:
Packet capture can tell what is happening on the network at a low level. This can be very useful for troubleshooting problems, such as:
- Finding missing or lost traffic/packets.
- Locating ARP problems, such as broadcast storm sources.
- Confirm which address a computer is using on the network if there are multiple addresses or are on multiple networks. Confirm that routing is working as expected.
- A particular type of packet, such as UDP, is having problems, which is commonly used for streaming video.
Limitations:
- Can not select interface as 'any' at the time of packet capture.
- Less than or equal to 10,000 packets can be captured in one packet capture filter.
- From v7.2 onwards, this limit is increased to 50,000.
On FortiGate v7.2+, this option can be found under Network -> Diagnostics.
- Select Start Capture, and it is possible to see the live flow of packets
- It is recommended to disable auto-asic-offload or np-acceleration under the respective Firewall policy to see all packets.
- Command np-acceleration is available when the firewall is in profile-based NGFW mode.
- It is possible to stop the capture and save the file in PCAP format, readable by Wireshark.
On FortiGate v7.2+, it is not possible to run several packet captures at the same time. On the new packet capture module, if the administrator logs out from the FortiGate GUI, the packet capture will stop running as well.
An alternative way to do background packet capture is through SSH/CLI, using the below command:
diagnose sniffer packet <interface name> "<filter>" 6 0 l
On FortiGate v7.4.3, it is re-introduced the possibility to run several packet captures simultaneously (maximum 15 captures) has been reintroduced, and there is a limitation on the number of packets to 20.000.
Starting FortiOS v7.4.4, packet capture criteria can now be stored. Once settings have been configured, it is now possible to choose to Start capture, Save settings for later, or Close.
On v7.4.4 to determine the maximum number of packet captures supported for a certain device type, utilize the Maximum Values Table and look for the item firewall.on-demand-sniffer.
Related documents:
Packet capture Document
Embed real-time packet capture and analysis tool on Diagnostics page
Run simultaneous packet captures and use the command palette