Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
gmanea
Staff
Staff

Created on ‎02-15-2006 12:00 AM Edited on ‎01-31-2024 05:15 AM By Moderator

Article Id 196143

Troubleshooting Tip: Packet capture (CLI sniffer) tips and best practices

 

Description This article describes some packet capture (sniffer) tips. 
Scope

All FortiGate, FortiManager, FortiAnalyzer, FortiLog, FortiMail models.
Solution

Fortinet units include a built-in sniffer to use for debugging purposes. 

Details on its usage are explained in the Fortinet Knowledge Base article 'Using the FortiOS built-in packet sniffer'.

 

The following are suggestions to improve the usability of this tool.

  • Try to always include ICMP in the sniffer filter along with your regular traffic filter
    It is possible to capture an ICMP error message that can help identify the cause of the problem. 

For example, instead of:

diag sniff packet interface wan1 'tcp port 3389' 3   -> that will show no output.

Use:

diag sniff packet interface wan1 'tcp port 3389 or icmp' 3  -> that may show ICMP error: Destination host unreachable.

  • It is possible to use the 'any' interface if desired to confirm that a specific packet is received or sent by the Fortinet device, without specifically knowing on which interface this may be. 

This will essentially enable the sniffer for all interfaces. For example, diag sniff packet interface any 'tcp port 3389' 6.

 

  • The Fortinet device may not display all packets if too much information is requested to be displayed, or the traffic being sniffed is significant. When this occurs, the unit will log the following message once the trace is terminated:

12151 packets received by filter.

3264 packets dropped by kernel.

 

When this occurs, it is possible that what was attempting to capture was not actually captured. In order to avoid this, try to tighten the display filters, reduce the verbose level, or perform the trace during a lower traffic period.

 

  • Enabling the sniffer will consume additional CPU resources. This can be as high as an additional 25% of CPU usage on low-end models. Therefore, enabling this on a unit that is experiencing excessively high CPU usage can only render the situation worse. If it is necessary to perform a capture, keep the sniffing sessions short.

  • Short Ethernet frames sent by the FortiGate may appear to be under the minimum length of 64 bytes (also known as 'runts'). This is because the sniffer does not display any Ethernet Trailer/Padding information, although it is sent on the wire.

  • The Ethernet source and/or destination MAC addresses may be incorrect when using the 'any' interface. They may be displayed as all zeros (00:00:00:00:00:00) or 00:00:00:00:00:01.

  • Running a packet capture while connecting to the Console port may not capture all the traffic. The speed of the console port is significantly lower than other ports, so its output will be truncated.

  • On FortiGate 6000 or 7000 series, running a packet capture on 'any' interface from the mgmt-VDOM context will show traffic (not offloaded) running through multiple VDOMs.

  • On FortiGate 6000 and 7000 series, packet captures can be run at the physical level using the prefix 'sw:', i.e.: sw:port4.

 

Related Articles:

Troubleshooting Tool: Using the FortiOS built-in packet sniffer

Technical Tip: Verifying and troubleshooting FortiGuard updates status and versions
Technical Tip: How to import diagnose sniffer packet data to Wireshark 
Technical Tip: How to capture packet traffic at the physical level 

 

55625
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.