problem with diag sniffer syntax? can' t see traffic over certain interfaces

Hi, this works:

diag sniffer packet dmz ' not dst net 192.168.100' 

With the ' net' keyword, cut off the host part - it doesn' t have a netmask to do it itself.

What model are you using ? If you are using a 200B or above, and using the Asic ports, you need to disable the asic while sniffing the traffic, the sniffer works at the CPU level, and when the asic handles traffic the packets are never reaching the CPU

I agree with Ede, your filter could be the issue. Since you said multiple vlan interfaces, why not specify the interface and the " host" that your trying to capture and not use not i.e diag sniff packet dmz ' host 1.1.1.1 ' or diag sniffer packet inside1 ' src net 192.168.101 '

Whoops... the packets source happened to be NATed inside the firewall, aka any packets had their source changed to that of the NAT when exiting internal3. Assuming that internal1 is the interface facing the VLAN where all of the traffic is being requested from (the session initiators): When I run the following I see nothing but broadcasts diag sniffer packet internal1 ' not port 22 ' It is possible that for some reason, some packets aren' t being captured? I can not understand how it' s possible that my routes are provided through the firewall, yet I can not see the traffic, even entering the internal port. Are there any sniffer settings that I' m missing?

fwiw You should always capture on the internal interface, if the packet makes it to the FW and then is NAT or Encapsulated, that way you will always see it. it' s ain' t going to sneak by without be notice if you know exactly what host src & dst and even the port or protocol, I would make my pcap filter expression as tight as possible e.g src host 1.1.1.1 vrs src host 1.1.1.1 and dst host 2.2.2.2 vrs src host 1.1.1.1 and dst host 2.2.2.2 and port 80 or even src host 1.1.1.1 and dst host 2.2.2.2 and dst port 80 hope that helps

Thanks for your input emnoc. In general, I started by being very specific, and scaled back to be not at all specific. I' ve performed a port mirror on the port interconnecting to the internal1 interface of the fortigate. Using tcpdump to sniff packets, I see all the packets I wish to see. The problem appears to be that the sniffer on the fortigate itself isn' t reporting the packets, even with a filter of ' none' ! This is very very strange. Any more points that I should worry about? Thanks! Matt [edit] fortigate~ (root) # diag sniffer packet any ' host 192.168.100.10' interfaces=[any] filters=[host 192.168.100.10] ... nothing tcpdump -i eth0 ' host 192.168.100.10' ... all the packets!