Fortinet units include a built-in sniffer to use for debugging purposes. 

Details on its usage are explained in the Fortinet Knowledge Base article 'Using the FortiOS built-in packet sniffer'.

The following are suggestions to improve the usability of this tool.

• Try to always include ICMP in the sniffer filter along with the regular traffic filter
  It is possible to capture an ICMP error message that can help identify the cause of the problem. 
  
  

For example, instead of:

diagnose sniffer packet wan1 'tcp port 3389' 3   -> That will show no output.

Use:

diagnose sniffer packet wan1 'tcp port 3389 or icmp' 3  -> That may show ICMP error: Destination host unreachable on interface wan1.

• It is possible to use the 'any' interface if desired to confirm that a specific packet is received or sent by the Fortinet device, without specifically knowing on which interface this may be. 

This will essentially enable the sniffer for all interfaces. For example, diagnose sniffer packet interface any 'tcp port 3389' 6.

• The Fortinet device may not display all packets if too much information is requested to be displayed, or if the traffic being sniffed is significant. When this occurs, the unit will log the following message once the trace is terminated:

12151 packets received by filter.

3264 packets dropped by the kernel.

When this occurs, it is possible that what was attempting to capture was not actually captured. In order to avoid this, try to tighten the display filters, reduce the verbose level, or perform the trace during a lower traffic period.

• Enabling the sniffer will consume additional CPU resources. This can be as high as an additional 25% of CPU usage on low-end models. Therefore, enabling this on a unit that is experiencing excessively high CPU usage can only render the situation worse. If it is necessary to perform a capture, keep the sniffing sessions short.
  
  

• Short Ethernet frames sent by the FortiGate may appear to be under the minimum length of 64 bytes (also known as 'runts'). This is because the sniffer does not display any Ethernet Trailer/Padding information, although it is sent on the wire.
  
  
• The Ethernet source and/or destination MAC addresses may be incorrect when using the 'any' interface. They may be displayed as all zeros (00:00:00:00:00:00) or 00:00:00:00:00:01.
  
  
• Running a packet capture while connecting to the Console port may not capture all the traffic. The speed of the console port is significantly lower than that of other ports, so its output will be truncated.
  
  
• On FortiGate 6000 or 7000 series, running a packet capture on 'any' interface from the mgmt-VDOM context will show traffic (not offloaded) running through multiple VDOMs.
  
  
• On FortiGate 6000 and 7000 series, packet captures can be run at the physical level using the prefix 'sw:', i.e., sw:port4.
  
  

• If the browser CLI or SSH CLI session is accidentally closed while running diagnose sniffer, the capture process (snifferd) should terminate automatically. Confirm whether any sniffer is still active with the following command:

diagnose sys process pidof snifferd

If no output is returned, no sniffer is running. If a PID is shown, stop it by terminating the process.

Related articles:

Troubleshooting Tip: Using the FortiOS built-in packet sniffer

Technical Tip : Using GUI debug flow tool in FortiOS 7.2.0 to capture traffic. 
Technical Tip: How to import diagnose sniffer packet data to Wireshark 
Technical Tip: How to capture packet traffic at the physical level