Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pdhillon
Staff
Staff

Created on ‎07-18-2024 10:09 PM Edited on ‎06-29-2025 09:58 PM By Moderator

Article Id 326800

Technical Tip: Capture Bidirectional traffic using NP7 sniffer

 

Description

The article describes one way to use a filter on the NP7 sniffer captures. 
Scope FortiGate.
Solution

In the example below, the bidirectional traffic is captured on the interface lag1.55 between the source 172.20.6.1 and 10.0.165.5:

 

NP7 Sniffer:


diagnose npu sniffer filter intf lag1.55
diagnose npu sniffer filter dir 2   <-- Dir has 3 options (0 – ingress, 1 – egress, 2- both) to capture both ingress and egress.
diagnose npu sniffer filter protocol 6
diagnose npu sniffer filter srcip 172.20.6.1
diagnose npu sniffer filter dstip 10.0.165.5

diagnose npu sniffer start
diagnose sniffer packet npudbg

 

If a capture on multiple interfaces is required for example lag1.55 and lag2.55:

 
   diagnose npu sniffer filter selector 0   <-- This is the filter ID and only 4 can be created and used simultaneously from 0 to 4).

diagnose npu sniffer filter intf lag1.55
diagnose npu sniffer filter dir 2   <-- Dir has 3 options (0 – ingress, 1 – egress, 2- both) to capture both ingress and egress.
diagnose npu sniffer filter protocol 6
diagnose npu sniffer filter srcip 172.20.6.1
diagnose npu sniffer filter dstip 10.0.165.5

diagnose npu sniffer start

 

diagnose npu sniffer filter selector 1   <-- This is the filter ID and only 4 can be created and used simultaneously from 0 to 4).

diagnose npu sniffer filter intf lag2.55
diagnose npu sniffer filter dir 2   <-- Dir has 3 options (0 – ingress, 1 – egress, 2- both) to capture both ingress and egress.
diagnose npu sniffer filter protocol 6
diagnose npu sniffer filter srcip 172.20.6.1
diagnose npu sniffer filter dstip 10.0.165.5

diagnose npu sniffer start

 

To obtain the output with a specific filter/count/time format, run the below command to start sniff packets for NP:


diagnose sniffer packet npudbg '' <level> <count> <tsformat> 

 

Example:

 

diagnose sniffer packet npudbg '' 6 0 l 

 

<level>

 

LEVEL.png

 

<count> #The number of packets to capture. If 0 or no value is defined, unlimited packets will be captured until ctrl+c is used to stop.
<tsformat> # 'a' for absolute UTC, otherwise relative to the start of sniffing ('l' for local).

 

It is recommended that after completing the NP sniffer, to stop using the following command :

 

diagnose npu sniffer stop

 

Related document:

NP7 hyperscale firewall packet sniffer
672
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.