Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable

Created on ‎10-25-2004 12:00 AM Edited on ‎09-19-2025 04:02 AM By Community Manager

Article Id 197868

Technical Tip: Filter sniffer to a specific PPPoE interface

Description

 

This article explains how to add a filter to sniffer commands for the PPPoE interface in the FortiGate device for IPV4 and IPv6.

 

Scope

 

FortiGate.

 

Solution

 
  • To filter sniffer commands for the PPPoE interface on a FortiGate device for IPv4 and IPv6, use the diag sniffer packet command with specific filters.
  • For IPv4 traffic over PPPoE, use the following command to capture UDP packets, or specify source/destination IPs or ports as needed:

 

diagnose sniffer packet <interface_name> 'proto 17' 6 0 l

 

  • The provided command facilitates detailed packet captures on a specified physical interface, focusing on PPPoE discovery (0x8863) and session (0x8864) stages, as outlined in RFC 2516.
  • Using the filter 'ether proto 0x8863 or ether proto 0x8864' ensures only relevant PPPoE packets are captured, which is crucial for diagnosing connectivity issues or PPP session problems.
  • Running the capture for extended periods, such as several hours, increases the likelihood of capturing transient issues.
  • For precise command syntax, note that the 'l' at the end is a lowercase letter, indicating the capture length or specific options as per FortiOS documentation.
  • Additional troubleshooting tips and best practices are available in the FortiOS packet sniffer guide, which can help refine filtering and analysis techniques for effective problem resolution.

 

diagnose sniffer packet <physical interface> 'ether proto 0x8863 or ether proto 0x8864' 6 0 l 

 

  • For IPv6, similarly, include the ip6 keyword. For example: 

 

diagnose sniffer packet <interface_name> 'ip6' 6 0 l

 

  • To focus on PPPoE traffic, filter by protocol number 0x8863 (PPPoE Discovery) or 0x8864 (PPPoE Session) in the filter expression, such as 'proto 0x8864'.
  • Replace <interface_name> with the actual interface name associated with the PPPoE connection.

 

diagnose sniffer packet <interface> '<filter>' <level> <count> <tsformat>

 

  • The 'diagnose sniffer packet' command is used to capture IPv6 packets on a specified interface, allowing for filtering with flexible logical expressions, such as source or destination addresses, ports, or protocols, like ICMPv6 or UDP.
  • It is possible to specify the interface (e.g., any, wan1), set a filter string to narrow down the capture (e.g., host 2001:4860:4860::8888), and define the capture depth (level), number of packets (count), and timestamp format (tsformat). 
  • This tool is useful for diagnosing network issues, monitoring IPv6 traffic, and analyzing specific communication patterns, especially when troubleshooting complex IPv6 deployments.
Labels:
1774
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.