FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
gmanea
Staff
Staff
Article Id 196143

Article

Description This article offers some packet capture (sniffer) tips. 
Components
  • All FortiGate, FortiManager, FortiAnalyzer, FortiLog, FortiMail models
Steps or Commands

Fortinet units include a built-in sniffer to use for debugging purposes. 

Details on its usage are explained in the Fortinet Knowledge Base article 'Using the FortiOS built-in packet sniffer'.

The following are suggestions to improve the usability of this tool.

- Try to always include ICMP in the sniffer filter along with your regular traffic filter

It is possible to capture an ICMP error message that can help identify the cause of the problem. 

For example, instead of

# diag sniff packet interface wan1 'tcp port 3389' 3   >> that will show no output

Use

# diag sniff packet interface wan1 'tcp port 3389 or icmp' 3  >> that may show ICMP error: Destination host unreachable

- It is possible to use the 'any' interface if you want to confirm that a specific packet is received or sent by the Fortinet device, without specifically knowing on which interface this may be. 

This will essentially enable the sniffer for all interfaces. For example, diag sniff packet interface any 'tcp port 3389' 6

- The Fortinet device may not display all packets if too much information is requested to be displayed, or the traffic being sniffed is significant. When this occurs, the unit will log the following message once the trace is terminated:

12151 packets received by filter

3264 packets dropped by kernel

When this occurs, it is possible that what you were attempting to capture was not actually captured. In order to avoid this, you may try to tighten the display filters, reduce the verbose level, or perform the trace during a lower traffic period.

- Enabling the sniffer will consume additional CPU resources. This can be as high as an additional 25% of CPU usage on low-end models. Therefore, enabling this on a unit that is experiencing excessively high CPU usage can only render the situation worse. If you must perform a capture, keep the sniffing sessions short.

 

- Short Ethernet frames sent by the FortiGate may appear to be under the minimum length of 64 bytes (also known as "runts"). 

This is because the sniffer does not display any Ethernet Trailer/Padding information, although it is sent on the wire.

- The Ethernet source and/or destination MAC addresses may be incorrect when using the "any" interface. They may be displayed as all zeros (00:00:00:00:00:00) or 00:00:00:00:00:01

- Running a packet capture while connecting on the Console port may not capture all the traffic. The speed of the console port is significantly lower than other ports, so its output will be truncated

 

Related Articles

Troubleshooting Tool: Using the FortiOS built-in packet sniffer

Technical Tip: Verifying and troubleshooting FortiGuard updates status and versions

Contributors