Description

This article describes how the output of the 'diagnose sniff packet' command can be imported into Wireshark.

Scope

FortiGate.

Solution

In this example, the test unit is continuously pinging 8.8.8.8.

To check what is happening on the packet using Wireshark, follow these steps (Windows):

1. Install Wireshark. This is required even if the device performing the conversion will not be used to review the result. The version of fgt2eth.exe attached checks for text2pcap using the path 'C:\Program Files\Wireshark\text2pcap.exe'.
2. Download fgt2eth.exe.12.2014.zip attached.
3. Unzip and save fgt2eth.exe in a specific folder.
4. Access the unit using Putty or any other SSH application.
   
5. Ensure Putty is set to log all printable output to a file. Save the session where fgteth.exe is saved.
6. Run the following command (make sure to use the value 6 0 on the sniff):
   
   diag sniff packet any ‘host 8.8.8.8 and icmp’ 6 0
   
   
   
7. The test unit starts pinging 8.8.8.8.
   
   
   

The FortiGate CLI packet sniffer started populating captures.


When finished, use Ctrl-C to stop the sniffer.

8. Open the command prompt on the Windows machine and navigate to the directory where fgt2eth.exe and ssh log are saved. To move between folders, use 'cd' and to verify the list of files in the directory use 'dir'.
9. Run the tool in the command prompt.
   
   fgt2eth.exe -in <ssh_log_name.txt> -out <pcap_name.pcap>
   
   
   
10. Go to the folder and open the PCAP using Wireshark.
    
    
    

Related articles:

Troubleshooting Tip: Packet capture (CLI sniffer) tips and best practices

Troubleshooting Tip: Using the FortiOS built-in packet sniffer for capturing packets

Technical Tip: How to import 'diagnose sniffer packet' data to WireShark - Ethereal application

Third-Party Links:

Wireshark Download 

Github Sniftran repository