| Solution |
The tcpdump utility can be used to perform packet-captures on a FortiExtender unit, which can be useful for troubleshooting packet flow to/through the FortiExtender and its various interfaces (including the cellular modem). Use the following steps to perform a tcpdump capture:
- Access the FortiExtender CLI, either via the web-based console in the GUI, via SSH, or through a direct serial-console connection (see also: Connect to the CLI).
It is recommended to enable logging of the console session, especially when using SSH or serial-console, as this ensures that the results are saved and available after the connection is disconnected.
- Check the list of interfaces available on the FortiExtender using the command get system interface. Alternatively, the command execute ifconfig may also be used to list the available interfaces.
- Start a tcpdump packet capture on the FortiExtender using the execute tcpdump <...> series of commands. The following are some examples of the command (the -nn option is auto-enabled as of FortiExtenderOS v4.1.3, v4.2.0, and later to disable name resolution of hostnames and well-known port names):
# Perform tcpdump on the lte1 interface:
execute tcpdump -i lte1
# Perform tcpdump on the lte1 interface with more verbose output:
execute tcpdump -n -i lte1 -vv
# Perform tcpdump on port4, filtering for packets including a specific host address:
execute tcpdump -nn -i port4 'host X.X.X.X'
# Perform tcpdump on all interfaces, capturing for ICMP protocol traffic:
execute tcpdump -n icmp
Available tcpdump flags:
FortiExtender # execute tcpdump -h
tcpdump: enabling -nn option
tcpdump version 4.9.2
libpcap version 1.8.1
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ]
[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
[ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
[ -Q in|out|inout ]
[ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
[ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
[ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ]
[ -Z user ] [ expression ]
Example tcpdump output (two separate instances capturing the lte1 interface and the LAN switch interface):
FortiExtender # execute tcpdump -n -i lte1 -vv
tcpdump: enabling -nn option
tcpdump: listening on lte1, link-type EN10MB (Ethernet), capture size 262144 bytes
09:40:08.112966 IP (tos 0x0, ttl 64, id 33083, offset 0, flags [DF], proto ICMP (1), length 84)
10.1.X.X > 8.8.8.8: ICMP echo request, id 17966, seq 110, length 64
09:40:08.151672 IP (tos 0x0, ttl 64, id 53139, offset 0, flags [none], proto ICMP (1), length 40)
10.1.X.X > 8.8.8.8: ICMP echo request, id 2104, seq 10249, length 20
FortiExtender # execute tcpdump -vv -i lan -nn host 8.8.8.8 and icmp
tcpdump: listening on lan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
09:31:42.651474 IP (tos 0x0, ttl 128, id 9087, offset 0, flags [none], proto ICMP (1), length 60)
192.168.200.111 > 8.8.8.8: ICMP echo request, id 1, seq 2991, length 40
09:31:47.662687 IP (tos 0x0, ttl 128, id 9093, offset 0, flags [none], proto ICMP (1), length 60)
192.168.200.111 > 8.8.8.8: ICMP echo request, id 1, seq 2992, length 40
- To stop the tcpdump capture, use the 'Ctrl+C' keyboard shortcut in the console window.
|
