Technical Tip: Capture Bidirectional traffic using NP7 sniffer

pdhillon · ‎07-18-2024

Description

The article describes one way to use a filter on the NP7 sniffer captures.

Scope

FortiGate.

Solution

In the example below, the bidirectional traffic is captured on the interface lag1.55 between the source 172.20.6.1 and 10.0.165.5:

NP7 Sniffer:

diagnose npu sniffer filter intf lag1.55
diagnose npu sniffer filter dir 2 <-- Dir has 3 options (0 – ingress, 1 – egress, 2- both) to capture both ingress and egress.
diagnose npu sniffer filter protocol 6
diagnose npu sniffer filter srcip 172.20.6.1
diagnose npu sniffer filter dstip 10.0.165.5

diagnose npu sniffer start
diagnose sniffer packet npudbg

If a capture on multiple interfaces is required for example lag1.55 and lag2.55:

diagnose npu sniffer filter selector 0 <-- This is the filter ID and only 4 can be created and used simultaneously from 0 to 4).

diagnose npu sniffer filter intf lag1.55
diagnose npu sniffer filter dir 2 <-- Dir has 3 options (0 – ingress, 1 – egress, 2- both) to capture both ingress and egress.
diagnose npu sniffer filter protocol 6
diagnose npu sniffer filter srcip 172.20.6.1
diagnose npu sniffer filter dstip 10.0.165.5

diagnose npu sniffer start

diagnose npu sniffer filter selector 1 <-- This is the filter ID and only 4 can be created and used simultaneously from 0 to 4).

diagnose npu sniffer filter intf lag2.55
diagnose npu sniffer filter dir 2 <-- Dir has 3 options (0 – ingress, 1 – egress, 2- both) to capture both ingress and egress.
diagnose npu sniffer filter protocol 6
diagnose npu sniffer filter srcip 172.20.6.1
diagnose npu sniffer filter dstip 10.0.165.5

diagnose npu sniffer start
diagnose sniffer packet npudbg

Related document:

NP7 hyperscale firewall packet sniffer