Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
iskandar_lie
Staff
Staff

Created on ‎04-27-2023 11:25 PM

Article Id 254294

Technical Tip : Diagnose sniffer packet any: duplicate traffic

Description This article explains why it shows duplicate traffic from diagnose sniffer packet any.
Scope FortiOS.
Solution

# diagnose sniffer packet any "<paramater>" 4 is one of the most useful tools used by TAC for troubleshooting purposes. This is very important to supply TAC with this information, especially for case that has anything to do with routing and firewall policy. 

 

Here, it will explain how to avoid misunderstanding while reading the result of this command. 

The traffic is simply just ICMP from 192.168.30.2 to 192.168.1.3. 

 

FGT1 # diagnose sniffer packet any "host 192.168.1.3 and icmp" 4
Using Original Sniffing Mode
interfaces=[any]
filters=[host 192.168.1.3 and icmp]
1.061971 VLAN_116 in 192.168.30.2 -> 192.168.1.3: icmp: echo request
1.061989 port9 out 192.168.30.2 -> 192.168.1.3: icmp: echo request
1.062475 port9 in 192.168.1.3 -> 192.168.30.2: icmp: echo reply
1.062485 VLAN_116 out 192.168.1.3 -> 192.168.30.2: icmp: echo reply
1.062488 Agg_Intf out 192.168.1.3 -> 192.168.30.2: icmp: echo reply
1.062490 port4 out 192.168.1.3 -> 192.168.30.2: icmp: echo reply

It is shown that 'out' direction ICMP takes place 3 times consecutively as if the traffic is duplicated, actually it is not. FortiGate presents the complete figure of the interface, starting from the most specific one (VLAN_116), then Aggregate Interface (Agg_Intf), and lastly physical port (port4). 

 

VLAN_116 interface is a subinterface of Agg_Intf (aggregate interface).

 

FGT1 # show system interface VLAN_116
    # config system interface
        edit "VLAN_116"
            set vdom "root"
            set ip 10.116.1.1 255.255.255.252
            set allowaccess ping https ssh snmp http fgfm
            set snmp-index 18
            set interface "Agg_Intf"
            set vlanid 116
        next
    end 

 

Agg_Intf is the aggregate interface type with port4 as its physical member:

 

FGT1 # show system interface Agg_Intf
    # config system interface
        edit "Agg_Intf"
            set vdom "root"
            set type aggregate
            set member "port4"
            set device-identification enable
            set lldp-transmission enable
            set role lan
            set snmp-index 15
            set lacp-mode static
        next
   end

 

FGT1 # show system interface port4
    # config system interface
        edit "port4"
            set vdom "root"
            set type physical
            set snmp-index 4
        next
    end

 

Conclusion:

The figure is not duplicate traffic. 

 

Related Documentation:

Troubleshooting Tip: Using the FortiOS built-in pa... - Fortinet Community

Performing a sniffer trace (CLI and packet capture) | FortiGate / FortiOS 6.2.10 (fortinet.com)

Technical Tip: Packet capture (sniffer) - Fortinet Community
2410
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.