dbabic
Staff
Staff
Description
This article describes the options available for packet capture in FortiAuthenticator.

Solution
1) GUI packet capture

Go to System -> Network -> Packet Capture

Start a capture on a specific interface, stop it, and download the results.

Pros: Easily available in GUI. Useful if only HTTPS access to the unit is available.

Cons: It is not possible to configure any host/protocol/port filters, everything is captured. The only filtering options are: maximum number of packets, IPv6 on/off, non-IP packet on/off

2) SSH: tcpdump
#execute tcpdump <arguments> <filter>
This is standard tcpdump. Options can be listed with execute tcpdump --help.
See tcpdump man page for more details - https://www.tcpdump.org/manpages/tcpdump.1.html

Below is a selection of useful options:

-i <interface name> : specify the interface on which to run packet capture
-c <number> : specify maximum number of packets to display before stopping
-v : increase verbosity when attempting to parse the packet (Default output logs a single line per packet received)
-x : include hex dump of payload (minus ethernet header)
-xx : same as -x + the ethernet header
-n : do not convert hostnames and ports to names

To stop the packet capture manually, press CTRL + C


Example usage and output:
#> execute tcpdump -c2 -v -i port1 host 10.109.51.16 and port 1812
tcpdump: listening on port1, link-type EN10MB (Ethernet), capture size 262144 bytes
16:25:59.312131 IP (tos 0x0, ttl 125, id 1513, offset 0, flags [none], proto UDP (17), length 63)
    10.109.63.254.62860 > 10.109.51.16.radius: RADIUS, length: 35
        Access-Request (1), id: 0x00, Authenticator: 20202020202031353635383739313539
          User-Name Attribute (1), length: 10, Value: facuser1
          State Attribute (24), length: 3, Value: 1
          User-Password Attribute (2), length: 2, Value:
16:26:00.316067 IP (tos 0x0, ttl 64, id 33022, offset 0, flags [none], proto UDP (17), length 48)
    10.109.51.16.radius > 10.109.63.254.62860: RADIUS, length: 20
        Access-Reject (3), id: 0x00, Authenticator: baa4a0bc365107b0d9c41013856b210d
2 packets captured
2 packets received by filter
0 packets dropped by kernel
Options used in the example:
-c2 : capture two packets, then stop
-v : verbose output (notice how the packets were interpreted as RADIUS communication and the individual attributes printed out)
-i port1 : capture only on interface named "port1"
host 10.109.51.16 and port 1812 : capture filter (capture only packets with host IP 10.109.51.16 and TCP/UDP port 1812)

Pros: Allows detailed filtering to show only the packets relevant for troubleshooting.

Cons: Does not easily allow conversion to a capture file.

3) SSH: tcpdumpfile
#execute tcpdumpfile <arguments> <filter>
This command is similar to tcpdump above, with the difference that the captured packets are not displayed in the SSH console (it is normal to see no packets displayed while the capture is running).
Instead, once the packet capture ends (either after manually stopping it or after reaching the set packet count), a converted pcap file will become available for download in GUI.

Note: Since the captured packets are not displayed, it is not necessary to use any options that affect verbosity or other visuals of the output (-v -x -n etc.).

The most recent packet capture file is available in GUI on the following path: https://<fortiauthenticator-fqdn-or-ip>/debug/

In the top-left corner, in the Service drop-down menu, select the option "CLI packet capture (tcpdumpfile)" to download the most recent capture.
It is also possible to get to the download directly by opening: https://<fortiauthenticator-fqdn-or-ip>/debug/pcap-dump/
The file is in pcap format, ready to be opened for further analysis in Wireshark, for example.

Pros: Allows detailed filtering and provides automatic conversion to a pcap file.
Cons: Both SSH and GUI access needed.



Contributors