This article describes how to capture packets on a virtual wire pair interface for troubleshooting.

To capture packets on a virtual wire pair interface, particularly for troubleshooting purposes, use the sniffer command:

diagnose sniffer packet port1 " " 6 0 <----- Port1 is a virtual wire pair member.

It is possible to filter or amend the sniffer.

If the traffic expected through the VWP port combination is multicast traffic (as demonstrated in this article), ensure to add appropriate multicast firewall policy or policies to the FortiGate.

It will not be possible to capture packets going through VWP ports on GUI; the interface will become unavailable for selection in the GUI packet capture utility once it becomes a VWP member.

If the packet capture is of verbosity 6, for example, it is possible to convert it to a PCAP file for analysis in Wireshark.

Verbosity 1 and 4 will NOT include data, but the rest will.

Verbosity:

1. Print the header of packets.
2. Print the header and data from the IP of packets.
3. Print the header and data from the Ethernet packets (if available).
4. Print the header of packets with the interface name.
5. Print the header and data from the IP of packets with the interface name.
6. Print the header and data from the Ethernet of packets (if available) with intf name.

When VLAN-tagged traffic passes through the virtual wire pair, if a filter is applied to the sniffer, not all of the VLAN traffic can be captured. In the example below, only the out direction can be seen when the sniffer filter 'host' is applied.

FortiGate # diagnose sniffer packet any "host 10.10.10.1" 4 0 l

interfaces=[any]

filters=[host 10.10.10.1]

2025-07-11 17:06:31.376646 port2 out 10.10.10.2 -> 10.10.10.1: icmp: echo request

2025-07-11 17:06:31.376980 port1 out 10.10.10.1 -> 10.10.10.2: icmp: echo reply

2025-07-11 17:06:32.393468 port2 out 10.10.10.2 -> 10.10.10.1: icmp: echo request

2025-07-11 17:06:32.393638 port1 out 10.10.10.1 -> 10.10.10.2: icmp: echo reply

To capture VLAN-tagged traffic for both the in and out direction, the sniffer needs to be run on each interface in the virtual wire pair instead of any. The filter will also need to include 'vlan’'

FortiGate # diagnose sniffer packet port1 "vlan and host 10.10.10.1" 4 0 l

interfaces=[port1]

filters=[vlan]

pcap_lookupnet: port1: no IPv4 address assigned

2025-07-11 17:07:56.686392 port1 -- 802.1Q vlan#10 P0 10.10.10.2 -> 10.10.10.1: icmp: echo request

2025-07-11 17:07:56.686753 port1 -- 802.1Q vlan#10 P0 10.10.10.1 -> 10.10.10.2: icmp: echo reply

2025-07-11 17:07:57.703134 port1 -- 802.1Q vlan#10 P0 10.10.10.2 -> 10.10.10.1: icmp: echo request

2025-07-11 17:07:57.703353 port1 -- 802.1Q vlan#10 P0 10.10.10.1 -> 10.10.10.2: icmp: echo reply

FortiGate # diagnose sniffer packet port2 "vlan and host 10.10.10.1" 4 0 l

interfaces=[port2]

filters=[vlan]

pcap_lookupnet: port2: no IPv4 address assigned

2025-07-11 17:07:56.686425 port2 -- 802.1Q vlan#10 P0 10.10.10.2 -> 10.10.10.1: icmp: echo request

2025-07-11 17:07:56.686747 port2 -- 802.1Q vlan#10 P0 10.10.10.1 -> 10.10.10.2: icmp: echo reply

2025-07-11 17:07:57.703150 port2 -- 802.1Q vlan#10 P0 10.10.10.2 -> 10.10.10.1: icmp: echo request

2025-07-11 17:07:57.703348 port2 -- 802.1Q vlan#10 P0 10.10.10.1 -> 10.10.10.2: icmp: echo reply