Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sfrati
Staff
Staff

Created on ‎07-17-2025 02:37 AM Edited on ‎07-17-2025 02:39 AM By Community Manager

Article Id 399644

Technical Tip: How to customize Wireshark to automate sniftran processing of sniffed traces

Description

This article presents SnifTran is a free program to convert plain text traffic captured from FortiGate issued from 'diag sniffer packet'followed by the parameter 6 (full packets with interface and data), and describes the customization of Wireshark.

 

The resulting conversion is a new file following PCAPng format, directly usable in Wireshark for a graphical display.
Despite Sniftran is a very stable and valuable tool available here (https://github.com/ondrejholecek/sniftran/), it is not graphical nor automated by default.

Here is a detailed how to get even more benefits from this tool by customizing :

  • Wireshark: to display more columns, including the incoming or outgoing interface.
  • Notepad++: to trigger SnifTran on the current open file and launch Wireshark on the resulting .pcapng file.
Scope FortiGate.
Solution

Customization of Wireshark to display Snifftran additional information:
Sniftran will include the interface name and traffic direction (in or out) for each frame in the new hidden field 'Comments'.
The Comments' field content will look like:

 

"(out) port33" or "(in) port34"

 

Note:

if, for instance, the outgoing interface is a LAG made of several aggregated ports, it will show the physical port from which the frame really physically exits the device.


The immediate benefits of Wireshark: to display/filter only packets on the interface port3 in both directions, for instance, use the following Wireshark filter:

 

frame.comment contains "port3"
 

snif1.png

 

Adding a new displayed column based on the 'frame.comment' field:
As displayed in the previous screenshot, Wireshark can be customized to add a new custom column (following this tutorial: https://www.youtube.com/watch?v=XpUNXDkfkQg) to display this new field for each frame.


In Wireshark menu under Preferences -> Appearance -> Columns, create a new column 'IfaceSnifTran' in this case, and 'right-click' the column to display the frame comment as shown below:

 
snif2.png

 

 

The result is the following: see the contents of column 'IfaceSnitTran':

 

snif3.png

 

The related article describes the customization of Notepad++ to trigger SnifTran on the currently opened file and launch Wireshark on the resulting .pcapng file using this customization: Technical Tip: How to customize Notepad++ to automate SnifTran processing of sniffed traces
209
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.