Technical Tip: Capture ESP and Interesting traffic on single GUI console/SSH session

ldsouza · ‎03-31-2021

Description

This article describes commands to collect the sniffer ESP and Interesting traffic on a single command line window or in an SSH session.

Scope

FortiGate.

Solution

To collect the packet capture of ESP and Interesting traffic, for example, ICMP, enable the following sniffer command format.

diagnose sniffer packet any "host <VPN peer IP> and esp or host <IP address of the remote machine> and protocol" 6 0 a

Or:

diagnose sniffer packet any "host x.x.x and esp" 6 0 a <----- Where x.x.x.x is the IP address of the remote gateway.

Example:

In the example below, ICMP traffic is generated with the ESP filter.

FGT91E-1 (root) # diagnose sniffer packet any "(host 10.5.20.146 and esp) or (host 10.10.10.100 and icmp)" 4 0 a

filters=[(host 10.5.20.146 and esp) or (host 10.10.10.100 and icmp)]
2021-03-31 10:38:08.536928 test1 out 10.189.4.141 -> 10.10.10.100: icmp: echo request
2021-03-31 10:38:08.536965 wan1 out 10.5.20.141 -> 10.5.20.146: ESP(spi=0x1c35548f,seq=0x11)
2021-03-31 10:38:08.536972 eth0 out 10.5.20.141 -> 10.5.20.146: ESP(spi=0x1c35548f,seq=0x11)
2021-03-31 10:38:08.537181 wan1 in 10.5.20.146 -> 10.5.20.141: ESP(spi=0x1b6c18f7,seq=0xc)
2021-03-31 10:38:08.537208 test1 in 10.10.10.100 -> 10.189.4.141: icmp: echo reply

Once the ESP packets are collected, decrypt the packets using the article: Technical Tip: Decrypt ESP packets.

Related articles:

Technical Tip: Decrypt ESP packets

Technical Tip: How to decrypt IPSec Phase-2 (ISAKMP) packets IKEv2

Technical Tip: How to decrypt IPSec Phase-1(ISAKMP) packets

Technical Tip: Capture ESP and Interesting traffic on single GUI console/SSH session

You are leaving our website