Skip to main content
Domoninic
Domoninic
Visitor III
May 23, 2025
Solved

Failed to save packet capture. Error: The string contains XSS vulnerability characters.

  • May 23, 2025
  • 1 reply
  • 946 views

Hi All,

 

I am trying to create a pcap file to send to an application vendor support team. I need the capture to be one host to either of two hosts. From the CLI this command captures the required traffic :

diagnose sniffer packet any 'host SOURCE_IP and ( DEST_IP_1 or DEST_IP_2)'

 

However I can't see how to export the output as pcap so must used the GUI.Creating a capture using advanced filtering does not allow me to save this filter with the error "Failed to save packet capture. Error: The string contains XSS vulnerability characters."  It seems the issue is the ().

 

So how does one do a packet capture on a fortigate with an OR and save it to PCAP  ?

 

Dominic





Best answer by Domoninic

To clarify: In the GUI I and entering "host SOURCE_IP and ( DEST_IP_1 or DEST_IP_2)" as the advance filter. Per the linked article I removed the () and the capture works as desired.
But.. both the GUI and that article say Advanced filtering parameters should follow the same syntax as when running the 'diagnose sniffer packet'. The CLI accepts the () while the GUI does not which just creates confusion.
Anyway thank for the tip :)


1 reply

abarushka
Staff
abarushka
Staff
May 23, 2025

Hello,

 

The GUI syntax is different. It is necessary to put only filter. Please find an example by following the link below:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-sniff-traffic-using-FortiOS-GUI-and/ta-p/388225

Domoninic
DomoninicAuthorAnswer
Visitor III
May 23, 2025

To clarify: In the GUI I and entering "host SOURCE_IP and ( DEST_IP_1 or DEST_IP_2)" as the advance filter. Per the linked article I removed the () and the capture works as desired.
But.. both the GUI and that article say Advanced filtering parameters should follow the same syntax as when running the 'diagnose sniffer packet'. The CLI accepts the () while the GUI does not which just creates confusion.
Anyway thank for the tip :)


Terms & ConditionsAccessibility statement