Description
This article describes how to do a sniffer using a network as a filter.
Scope
FortiGate.
Solution
Sniff is a useful command when debugging routing problems.
To do a sniff, follow the syntax below:
diagnose sniffer packet <interface> '<filter>' <level> <count> <tsformat>
Various filters used in <filter> field include :
net [Syntax - 'net X.X.X.X/Y'] - A whole network can be defined using this filter to capture all the traffic whether sourced or destined to this network.
host [Syntax - 'host X.X.X.X'] - A specific host can be defined for capturing traffic sourced or destined to this IP address.
proto [Syntax - 'tcp' / 'udp'] - A protocol can be specified if a specific protocol needs to be captured.
port [Syntax - 'port X' ] - This filter is used when traffic is sourced or destined from a specific port and needs to be captured.
host [Syntax - 'host X.X.X.X'] - A specific host can be defined for capturing traffic sourced or destined to this IP address.
proto [Syntax - 'tcp' / 'udp'] - A protocol can be specified if a specific protocol needs to be captured.
port [Syntax - 'port X' ] - This filter is used when traffic is sourced or destined from a specific port and needs to be captured.
Note: Multiple filters can be combined as per the requirements to capture traffic.
Example of the network as a filter:
First filter: Sniff from two networks.
First filter: Sniff from two networks.
diagnose sniffer packet any ‘net 1.1.1.0/24 and net 2.2.2.0/24’ 4 0 l --> Second filter: Sniff from one source network to the destination network.
diagnose sniffer packet any ‘src net 1.1.1.0/24 and dst net 2.2.2.0/24’ 4 0 l --> Third filter: Sniff from one source network doing a ping of destination network.
diagnose sniffer packet any ‘src net 1.1.1.0/24 and dst net 2.2.2.0/24 and icmp’ 4 0 l
