Technical Tip: How to interpret a session labeled as 'DP sess' when performing a packet capture on FortiGate chassis devices

amrit · ‎09-26-2025

Description

This article explains the meaning of the 'DP sess' packets observed on FortiGate chassis devices when running a sniffer capture.

Scope

FortiGate-6000/7000.

Solution

When running a packet capture on the SLBC platform devices, the following output can be observed:

diagnose sniffer packet any 'host 192.168.20.1 and host 172.16.1.30' 4 0 l

[FPC01] 2025-09-25 10:27:36.795595 port28 in 192.168.20.1 -> 172.16.1.30: icmp: echo request
[FPC01] 2025-09-25 10:27:36.795625 port27 out 172.16.1.30 -> 192.168.20.1: icmp: echo reply (DP Sess)
[FPC01] 2025-09-25 10:27:36.795627 port28 out 192.168.20.1 -> 172.16.1.30: icmp: echo request (DP Sess)
[FPC01] 2025-09-25 10:27:36.795717 port27 out 192.168.20.1 -> 172.16.1.30: icmp: echo request
[FPC01] 2025-09-25 10:27:36.795731 port25 in 192.168.20.1 -> 172.16.1.30: icmp: echo request
[FPC01] 2025-09-25 10:27:36.795733 Sever-emac in 192.168.20.1 -> 172.16.1.30: icmp: echo request
[FPC01] 2025-09-25 10:27:36.795758 port11 out 172.16.1.30 -> 192.168.20.1: icmp: echo reply (DP Sess)
[FPC01] 2025-09-25 10:27:36.795760 port25 out 192.168.20.1 -> 172.16.1.30: icmp: echo request (DP Sess)

The packets marked with '(DP Sess)' should not be considered duplicates. The SLBC distributed processor (DP) internally uses these packets to load balance traffic across Fabric Processor Cards (FPCs) or Fabric Processing Modules (FPMs). As a result, this is expected behavior.

Technical Tip: How to interpret a session labeled as 'DP sess' when performing a packet capture on FortiGate chassis devices

You are leaving our website