|Description||This article offers some packet capture (sniffer) tips.|
|Steps or Commands||
Fortinet units include a built-in sniffer to use for debugging purposes.
Details on its usage are explained in the Fortinet Knowledge Base article 'Using the FortiOS built-in packet sniffer'.
The following are suggestions to improve the usability of this tool.
- Try to always include ICMP in the sniffer filter along with your regular traffic filter
It is possible to capture an ICMP error message that can help identify the cause of the problem.
For example, instead of
# diag sniff packet interface wan1 'tcp port 3389' 3 >> that will show no output
# diag sniff packet interface wan1 'tcp port 3389 or icmp' 3 >> that may show ICMP error: Destination host unreachable
- It is possible to use the 'any' interface if you want to confirm that a specific packet is received or sent by the Fortinet device, without specifically knowing on which interface this may be.
This will essentially enable the sniffer for all interfaces. For example, diag sniff packet interface any 'tcp port 3389' 6
- The Fortinet device may not display all packets if too much information is requested to be displayed, or the traffic being sniffed is significant. When this occurs, the unit will log the following message once the trace is terminated:
12151 packets received by filter
3264 packets dropped by kernel
When this occurs, it is possible that what you were attempting to capture was not actually captured. In order to avoid this, you may try to tighten the display filters, reduce the verbose level, or perform the trace during a lower traffic period.
- Enabling the sniffer will consume additional CPU resources. This can be as high as an additional 25% of CPU usage on low-end models. Therefore, enabling this on a unit that is experiencing excessively high CPU usage can only render the situation worse. If you must perform a capture, keep the sniffing sessions short.
- Short Ethernet frames sent by the FortiGate may appear to be under the minimum length of 64 bytes (also known as "runts").
This is because the sniffer does not display any Ethernet Trailer/Padding information, although it is sent on the wire.
- The Ethernet source and/or destination MAC addresses may be incorrect when using the "any" interface. They may be displayed as all zeros (00:00:00:00:00:00) or 00:00:00:00:00:01
- Running a packet capture while connecting on the Console port may not capture all the traffic. The speed of the console port is significantly lower than other ports, so its output will be truncated
Troubleshooting Tool: Using the FortiOS built-in packet sniffer
Technical Tip: Verifying and troubleshooting FortiGuard updates status and versions
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.