One-armed sniffer, only broadcast traffic
Hello!
I`am testing one-armed sniffer functionality on Fortigate 60E, and I have problem that i see only some broadcast traffic no unicast traffic.
Cisco 3750 configuration:
monitor session 1 source vlan 24 monitor session 1 destination interface Fa2/0/11 - 12
Fortigate cofiguration:
config system interface edit "internal7" set vdom "root" set ips-sniffer-mode enable set type physical set alias "Sniffer" set device-identification enable set snmp-index 7 next end
On Fa2/0/11 I connect Fortigate on Fa2/0/12 I conenct PC running wireshark, on wireshark I can see all the traffic, ICMP, HTTP, etc, on fortigate only broadcast traffic:
example command diagnose sniffer packet internal7:
.348708 arp who-has 192.168.24.64 tell 192.168.24.1 329.348709 arp who-has 192.168.24.64 tell 192.168.24.1 329.842556 0.0.0.0.5678 -> 255.255.255.255.5678: udp 117 329.842605 0.0.0.0.5678 -> 255.255.255.255.5678: udp 117 329.842763 llc unnumbered, ui, flags [command], length 81 329.843403 192.168.24.34.57378 -> 255.255.255.255.5678: udp 115 329.843438 192.168.24.34.57378 -> 255.255.255.255.5678: udp 115 329.843602 llc unnumbered, ui, flags [command], length 96 330.107867 arp who-has 192.168.24.30 tell 192.168.24.31 330.107867 arp who-has 192.168.24.30 tell 192.168.24.31 330.348694 arp who-has 192.168.24.64 tell 192.168.24.1 330.348697 arp who-has 192.168.24.64 tell 192.168.24.1 331.107879 arp who-has 192.168.24.30 tell 192.168.24.31 331.107927 arp who-has 192.168.24.30 tell 192.168.24.31 331.348814 arp who-has 192.168.24.64 tell 192.168.24.1 331.348833 arp who-has 192.168.24.64 tell 192.168.24.1 331.652233 arp who-has 192.168.24.41 tell 192.168.24.1 331.652249 arp who-has 192.168.24.41 tell 192.168.24.1
On wireshark i can see all the traffic. Does anybody have any idea, what I`Ä…m missing, it reminds me of similar situation, when I was once sniffing the traffic with vmware virtual machine and the network card was not in promiscuous mode,..
Any help would be much appreciated.