Technical Tip: 'tcpdump' packet captures in FortiExtender

vpatil · ‎04-24-2023

Description

This article describes how to collect 'tcpdump' packet captures.

Scope

FortiExtender 511F v7.2.3.

Solution

1) Access the FortiExtender with SSH using Putty SSH. Log the Putty SSH.

2) Enable 'tcpdump' captures on any of the following interfaces listed in the 'get system interface' output on the FortiExtender:

# get system interface

== [ port4 ]
name: port4 status: online/up/link up type: physical mac: ac:71:2e:xx:xx:xx mode: dhcp ip: 192.168.254.2/24 mtu: 1500
gateway: 192.168.254.1 dns: 192.168.254.1
== [ wan ]
name: wan status: online/up/link down type: physical mac: ac:71:2e:xx:xx:xx mode: dhcp ip: 0.0.0.0/0 mtu: 1500
gateway: 0.0.0.0
== [ sfp ]
name: sfp status: online/up/link down type: physical mac: ac:71:2e:xx:xx:xx mode: dhcp ip: 0.0.0.0/0 mtu: 1500
gateway: 0.0.0.0
== [ lan ]
name: lan status: online/up/link down type: lan-switch mac: ac:71:2e:xx:xx:xx mode: static ip: 192.168.200.99/24 mtu: 1500
gateway: 0.0.0.0
== [ lo ]
name: lo status: online/up/link up type: loopback mac: 00:00:00:00:00:00 mode: static ip: 127.0.0.1/8 mtu: 65536
gateway: 0.0.0.0
== [ lte1 ]
name: lte1 status: online/up/link up type: lte mac: 7e:11:98:xx:xx:xx mode: dhcp ip: 192.x.x.x/24 mtu: 1472
gateway: 192.0.0.X dns: 192.0.0.X
== [ vlan1 ]
name: vlan1 status: online/up/link up type: vlan mac: 76:ac:f0:xx:xx:xx mode: static ip: 0.0.0.0/0 mtu: 1500
gateway: 0.0.0.0
vid: 5

3) Run the following tcpdump commands on the FortiExtender:

# execute tcpdump -n -i lte1
# execute tcpdump -n -i lte1 -vv

# execute tcpdump -nn -i port4 'host X.X.X.X'
# execute tcpdump -n icmp

Example tcpdump outputs when there's traffic on the lte1 and lan interfaces on the FortiExtender:

# execute tcpdump -n -i lte1 -vv

tcpdump: enabling -nn option
tcpdump: listening on lte1, link-type EN10MB (Ethernet), capture size 262144 bytes
09:40:08.112966 IP (tos 0x0, ttl 64, id 33083, offset 0, flags [DF], proto ICMP (1), length 84)
10.1.X.X > 8.8.8.8: ICMP echo request, id 17966, seq 110, length 64
09:40:08.151672 IP (tos 0x0, ttl 64, id 53139, offset 0, flags [none], proto ICMP (1), length 40)
10.1.X.X > 8.8.8.8: ICMP echo request, id 2104, seq 10249, length 20

# execute tcpdump -vv -i lan -nn host 8.8.8.8 and icmp
tcpdump: listening on lan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
09:31:42.651474 IP (tos 0x0, ttl 128, id 9087, offset 0, flags [none], proto ICMP (1), length 60)
192.168.200.111 > 8.8.8.8: ICMP echo request, id 1, seq 2991, length 40
09:31:47.662687 IP (tos 0x0, ttl 128, id 9093, offset 0, flags [none], proto ICMP (1), length 60)
192.168.200.111 > 8.8.8.8: ICMP echo request, id 1, seq 2992, length 40

4) To stop the tcpdump capture prints, use 'Ctrl+C' on Windows.

5) Alternatively, to list interfaces on the FortiExtender CLI, run 'execute ifconfig'.