Simple way to capture packets from specific address/port?

Forum|Forum|16 years ago
December 8, 2009
5 replies
4663 views

I have a few workstations that are routinely sending about 300 bytes of data to a single IP address that I cannot identify. NO rdns available. It' s sending out on TCP port 80 and UDP port 370. Is there a way to use the Fortigate or FortiAnalyzer to capture just those packets for a brief time so I can see what data is being transferred, and if this is a trojan of some sort? Our previous firewall could dump a Wireshark compatible file in situations like this. Application Control is reporting the traffic as http.proxy. I see the FortiAnalyzer has a Network Analyzer tool, but was hoping I could just setup a firewall rule to capture the packets for a few minutes and dump them to a file for analysis. Any suggestions? Thanks. Bill

Carl_Wallmark

New Member

yes its possible, first of all, you need to create a custom IPS, that can be triggered by the IP and Port (port 80 and 370). then you can create a IPS override, and enable packet log (requires fortios 4.00). as a result, you will be able to look inside that package, and download the packet in a .pcap file, and open in wireshark =) good luck !

p768

New Member

fortigates can also tcpdump use the command ' diagnose sniffer packet' use debug level 3 then you need to convert the output using a script file. see http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30877&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=1384921&stateId=0%200%201386816

A

Anonymous_User

Contributor

how do you change the debug level? I am unble to get this command to work diag debug en diag sniffer packet port1 ' tcp and 21' 3 I put the 3 for debug level 3...is that right?