Description | This article describes some packet capture (sniffer) tips. |
Scope | FortiGate, FortiManager, FortiAnalyzer, FortiLog, and FortiMail. |
Solution |
Fortinet units include a built-in sniffer to use for debugging purposes. Details on its usage are explained in the Fortinet Knowledge Base article 'Using the FortiOS built-in packet sniffer'.
The following are suggestions to improve the usability of this tool.
For example, instead of:
diagnose sniffer packet wan1 'tcp port 3389' 3 -> That will show no output.
Use:
diagnose sniffer packet wan1 'tcp port 3389 or icmp' 3 -> That may show ICMP error: Destination host unreachable on interface wan1.
This will essentially enable the sniffer for all interfaces. For example, diagnose sniffer packet interface any 'tcp port 3389' 6.
12151 packets received by filter. 3264 packets dropped by the kernel.
When this occurs, it is possible that what was attempting to capture was not actually captured. In order to avoid this, try to tighten the display filters, reduce the verbose level, or perform the trace during a lower traffic period.
diagnose sys process pidof snifferd
If no output is returned, no sniffer is running. If a PID is shown, stop it by terminating the process.
Related articles: Troubleshooting Tip: Using the FortiOS built-in packet sniffer Technical Tip : Using GUI debug flow tool in FortiOS 7.2.0 to capture traffic. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.