Skip to main content
gpinero
gpinero
New Member
November 19, 2020
Solved

Sniffer using CLI and then convert to wireshark

  • November 19, 2020
  • 1 reply
  • 11280 views

Hi, i'm using this command

diag sniffer packet any "host x.x.x.x" 6 0 a

to capture some traffic, then convert the text file using the tool fgt2eth.exe to convert it to pcap.

https://kb.fortinet.com/kb/documentLink.do?externalID=FD30877

 

Then... when I'm going to view it in wireshark, it shows TCP-out-of-order in all the capture.

I try a lot of captures with different destination and in different firewalls (models 100d, 300d, 500d) same result. A lot of TCP Out-of-Order

 

I'm doing something wrong? is not possible that in all my tests was errors in comunication.

 

 

Same result in all my captures from CLI.

    Best answer by Toshi_Esumi

    If you use "any" for interface, the same packet likely show up multiple times in the log like at the ingress interface and the egress interface, which Wireshark would see as duplicates or retransmission. If you wan to see the output in Wireshark, specify one interface.

    1 reply

    emnoc
    emnoc
    New Member
    November 19, 2020

    What are you trying to capture mail http https traffic? I would filter in one the specific traffic and then use the convert tool. If you have  FGT model with a disk you can skip all of this and and run the webGUI 

     

    https://<x.x.x address of fgt>/ng/page/p/firewall/sniffer/

     

    I would thought a 500D would support this and maybe a 300D

     

    Ken Felix

    Toshi_Esumi
    SuperUser
    Toshi_EsumiAnswer
    SuperUser
    November 19, 2020

    If you use "any" for interface, the same packet likely show up multiple times in the log like at the ingress interface and the egress interface, which Wireshark would see as duplicates or retransmission. If you wan to see the output in Wireshark, specify one interface.

    emnoc
    emnoc
    New Member
    November 19, 2020

    yeah and I notice all of these where fin and syn, I would not be too much worry about the start and closing 

    Filter in on the port and service 

     

    diag sniffer packet port1 "host x.x.x.x and port 24" is much better than "diag sniffer packet any"

     

    Ken Felix

    Terms & ConditionsAccessibility statement