Technical Tip: Capture ESP and Interesting traffic on single GUI console/SSH session

ldsouza · ‎03-31-2021

Description

This article provides commands to collect the sniffer ESP and Interesting traffic on single command line window or in SSH session.

Scope

FortiGate.

Solution

To collect the packet capture of ESP and Interesting traffic for example ICMP, enable the following sniffer command format.

diag sniffer packet any "<----- Host <VPN peer IP> and esp or host <IP address of the remote machine > and protocol" 6 0 a

OR

diagnose sniffer packet any "host x.x.x and esp" 6 0 a <----- Where x.x.x.x is IP address of the remote gateway.

Example :

In the below example ICMP traffic is generated with the ESP filter.

FGT91E-1 (root) # diagnose sniffer packet any "(host 10.5.20.146 and esp) or (host 10.10.10.100 and icmp)" 4 0 a

filters=[(host 10.5.20.146 and esp) or (host 10.10.10.100 and icmp)]
2021-03-31 10:38:08.536928 test1 out 10.189.4.141 -> 10.10.10.100: icmp: echo request
2021-03-31 10:38:08.536965 wan1 out 10.5.20.141 -> 10.5.20.146: ESP(spi=0x1c35548f,seq=0x11)
2021-03-31 10:38:08.536972 eth0 out 10.5.20.141 -> 10.5.20.146: ESP(spi=0x1c35548f,seq=0x11)
2021-03-31 10:38:08.537181 wan1 in 10.5.20.146 -> 10.5.20.141: ESP(spi=0x1b6c18f7,seq=0xc)
2021-03-31 10:38:08.537208 test1 in 10.10.10.100 -> 10.189.4.141: icmp: echo reply

Technical Tip: Capture ESP and Interesting traffic on single GUI console/SSH session

You are leaving our website