FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
acvaldez
Staff
Staff
Article Id 225227
Description

This article describes how to do a sniff on offloaded traffic in NP7.

Scope FortiGate.
Solution

FGT SITE A -- overlay ip 10.166.242.2 (wan interface IP 10.47.0.157)-- site to site vpn – (wan interface ip 10.47.1.134) 10.166.242.1 overlay ip – FGT Site B

 

- In this scenario, the esp packets that are offloaded on NP7 will be captured.

 

diagnose npu sniffer filter intf port1  

diagnose npu sniffer filter protocol 50

diagnose npu sniffer filter dir 2

diagnose npu sniffer start

 

- Port1 is the interface  set where the sniff will listen to. Wherein port1 is where the VPN is configured.

- Protocol 50 is the esp protocol to capture.

- Dir has 3 options (0 – ingress, 1 – egress, 2- both) in case to capture both ingress and egress.

- Now this is the diag sniff command to run the sniff for np.

 

# diagnose sniffer packet npudbg ‘  ‘ 6 0 a 

 

Sample output:

 

========================================

FG181F-2 # diagnose npu sniffer filter intf port1

FG181F-2 # diagnose npu sniffer filter protocol 50

FG181F-2 # diagnose npu sniffer filter dir 2

FG181F-2 # diagnose npu sniffer start

start sniffer with 1 filter(s)

 

FG181F-2 # diagnose sniffer packet npudbg  ' ' 6 0 a

interfaces=[npudbg]

filters=[ ]

pcap_lookupnet: npudbg: no IPv4 address assigned

2022-09-29 05:51:33.138406 npudbg -- 10.47.0.157 -> 10.47.1.134: ESP(spi=0xf36f5f69,seq=0x2)

0x0000   0049 7269 2b01 04d5 90d5 40d6 0800 4500        .Iri+.....@...E.

0x0010   0098 d802 0000 3f32 8cb1 0a2f 009d 0a2f        ......?2.../.../

0x0020   0186 f36f 5f69 0000 0002 7801 6734 cf67        ...o_i....x.g4.g

0x0030   4353 b2aa 8e40 1e91 886c abcf 9b02 05fe        CS...@...l......

0x0040   5322 78a7 a57f 13a7 8ac1 5451 0757 0a2c        S"x.......TQ.W.,

0x0050   3dc6 1a7d 92f6 ff34 eabb ce79 059b 633d        =..}...4...y..c=

0x0060   e81a da1a 77c8 b2bb ce2f 7322 c090 4059        ....w..../s"..@Y

0x0070   4715 4d18 794e 1c69 2d2f 2896 d902 50d1        G.M.yN.i-/(...P.

0x0080   115e 5aa8 4ecc cba2 3e0e f698 b913 629e        .^Z.N...>.....b.

0x0090   eb63 85d1 3c50 e164 94a8 9522 a468 9864        .c..<P.d...".h.d

0x00a0   c3dd d5f7 00d0                                 ......

 

2022-09-29 05:51:33.139119 npudbg -- 10.47.1.134 -> 10.47.0.157: ESP(spi=0xcb5ac2a8,seq=0x2)

0x0000   04d5 90d5 40d6 0049 7269 2b01 0800 4500        ....@..Iri+...E.

0x0010   0098 0100 0000 3f32 63b4 0a2f 0186 0a2f        ......?2c../.../

0x0020   009d cb5a c2a8 0000 0002 0c21 ba65 ae7f        ...Z.......!.e..

0x0030   c1d4 46e1 9cc5 81bb a128 8372 dd95 ad3b        ..F......(.r...;

0x0040   6c17 ffed 27d4 7be2 74c7 eac7 d89f a981        l...'.{.t.......

0x0050   ea63 4646 5561 7e94 4b6c 6e2b e65b 873d        .cFFUa~.Kln+.[.=

0x0060   6c7d 0209 b033 1323 3723 dd17 cb14 c603        l}...3.#7#......

0x0070   8054 d9ab 7ce2 6128 d8ff b2ab d063 f681        .T..|.a(.....c..

0x0080   fc5f c150 2066 2d2d 5ab3 cd96 96cd dfc9        ._.P.f--Z.......

0x0090   fe2c 5f18 4245 283f fdd1 489c 68b6 388b        .,_.BE(?..H.h.8.

0x00a0   2357 cdad bef6                                 #W....

 

2022-09-29 05:51:34.138387 npudbg -- 10.47.0.157 -> 10.47.1.134: ESP(spi=0xf36f5f69,seq=0x3)

0x0000   0049 7269 2b01 06d5 90d5 40d6 0800 4500        .Iri+.....@...E.

0x0010   0098 ac09 0000 ff32 f8a9 0a2f 009d 0a2f        .......2.../.../

0x0020   0186 f36f 5f69 0000 0003 7190 fdce e5ed        ...o_i....q.....

0x0030   3e6a 3f28 b2ae 2193 67b0 b367 ef5a e1df        >j?(..!.g..g.Z..

0x0040   eece 9cf7 42d3 c3c9 9f72 c564 ea9e 4f1b        ....B....r.d..O.

0x0050   8cbe 63dc 2447 4321 8ae4 cdb5 0380 b2fe        ..c.$GC!........

0x0060   d0e4 f18c 670f 21c2 ad8e 90a5 8055 01b6        ....g.!......U..

0x0070   e937 95b3 77c0 7c4d fa9c 5ded e25e 1cf8        .7..w.|M..]..^..

0x0080   044b 0bdb 7cdb 77cd 6a52 c6c0 a6c6 eb85        .K..|.w.jR......

0x0090   08ac 13b5 82ca 29cc ee5b 51c8 5b12 3dd2        ......)..[Q.[.=.

0x00a0   aa52 299c 8f4b                                 .R)..K

 

2022-09-29 05:51:34.138532 npudbg -- 10.47.1.134 -> 10.47.0.157: ESP(spi=0xcb5ac2a8,seq=0x3)

0x0000   04d5 90d5 40d6 0049 7269 2b01 0800 4500        ....@..Iri+...E.

0x0010   0098 0200 0000 3f32 62b4 0a2f 0186 0a2f        ......?2b../.../

0x0020   009d cb5a c2a8 0000 0003 c3fa addb c4fa        ...Z............

0x0030   97f4 069b 20bd 1348 a85d 4b95 f4ad d43d        .......H.]K....=

0x0040   2fb1 6107 4d7b 043c 02c5 af48 4e94 dffd        /.a.M{.<...HN...

0x0050   afdd 229e 9af6 5433 c576 ade2 1c2d 5804        .."...T3.v...-X.

0x0060   77fc d3e4 b024 9fd1 5e51 0a55 ed2e 57e7        w....$..^Q.U..W.

0x0070   793a a311 1414 0459 dfb2 5268 3ecb 5e5f        y:.....Y..Rh>.^_

0x0080   3a82 218a 8bcd 89c3 ce48 68c3 f0cb e601        :.!......Hh.....

0x0090   21d4 bac8 723f 78ce ce3e 3cc0 88b7 84cf        !...r?x..><.....

0x00a0   bcce 6cc7 7017                                 ..l.p.

 

2022-09-29 05:51:35.138400 npudbg -- 10.47.0.157 -> 10.47.1.134: ESP(spi=0xf36f5f69,seq=0x4)

0x0000   0049 7269 2b01 06d5 90d5 40d6 0800 4500        .Iri+.....@...E.

0x0010   0098 ac0a 0000 ff32 f8a8 0a2f 009d 0a2f        .......2.../.../

0x0020   0186 f36f 5f69 0000 0004 e592 c2e3 1e56        ...o_i.........V

0x0030   75a3 89d0 d5b9 5908 94d6 cfd4 583f cdf9        u.....Y.....X?..

0x0040   a869 c219 2335 2f50 8d6c b48a 044f c009        .i..#5/P.l...O..

0x0050   407f 6a2c 9569 82fd 57a7 cef4 9b9b 70b9        @.j,.i..W.....p.

0x0060   4a80 f389 2b79 4396 e13b bf8e 2f1a ba0c        J...+yC..;../...

0x0070   e6ab 511e 4176 96ea 62ea e9c8 01c0 09db        ..Q.Av..b.......

0x0080   fbea 756d eba5 8aa2 cf75 795e 2b63 8935        ..um.....uy^+c.5

0x0090   cc89 cae4 8436 c3ff 5115 6a9d 8ae7 311f        .....6..Q.j...1.

0x00a0   d571 98e9 725c                                 .q..r\

 

2022-09-29 05:51:35.138551 npudbg -- 10.47.1.134 -> 10.47.0.157: ESP(spi=0xcb5ac2a8,seq=0x4)

0x0000   04d5 90d5 40d6 0049 7269 2b01 0800 4500        ....@..Iri+...E.

0x0010   0098 0300 0000 3f32 61b4 0a2f 0186 0a2f        ......?2a../.../

0x0020   009d cb5a c2a8 0000 0004 62fb 6d11 aa41        ...Z......b.m..A

0x0030   5ac6 a475 2f98 3d01 7d12 7615 fc21 87e2        Z..u/.=.}.v..!..

0x0040   ded4 7ef4 8cfd 7462 faa9 be1e 0331 b862        ..~...tb.....1.b

0x0050   2329 a25c d356 ed88 d7f0 c140 a4d9 3892        #).\.V.....@..8.

0x0060   7391 1735 cb54 3178 ae0f 5e39 2523 fa28        s..5.T1x..^9%#.(

0x0070   5d9d 5652 af87 d2ba f762 228f 6627 d6b7        ].VR.....b".f'..

0x0080   1270 3df7 b4d2 28a9 3771 8787 4d3b c8e9        .p=...(.7q..M;..

0x0090   1037 2570 005d 4e2f 86b0 645f ff87 db35        .7%p.]N/..d_...5

0x00a0   5ad6 c1fb fc10                                 Z.....

 

2022-09-29 05:51:36.138414 npudbg -- 10.47.0.157 -> 10.47.1.134: ESP(spi=0xf36f5f69,seq=0x5)

0x0000   0049 7269 2b01 06d5 90d5 40d6 0800 4500        .Iri+.....@...E.

0x0010   0098 ac0b 0000 ff32 f8a7 0a2f 009d 0a2f        .......2.../.../

0x0020   0186 f36f 5f69 0000 0005 faa6 c0c3 f43c        ...o_i.........<

0x0030   e7cd df8b 3503 8133 5584 8dcf b1b5 89e0        ....5..3U.......

0x0040   855c 5427 8fe5 ee27 c3b8 db2c 3fef 0ad4        .\T'...'...,?...

0x0050   76d1 ce8c 3b98 5c89 6e4e d773 150c 0a41        v...;.\.nN.s...A

0x0060   3c3b 59f4 ac09 c81d d7bb b44d 7ff5 46f5        <;Y........M..F.

0x0070   622a d768 cbbc f5f0 2ea6 437e bc9c 4d65        b*.h......C~..Me

0x0080   6855 ae93 73bc 452a 73f3 cfb8 a17e b5fd        hU..s.E*s....~..

0x0090   3d8d a211 360c fa3b 3447 96d6 8a39 52a3        =...6..;4G...9R.

0x00a0   9fe6 9569 9c9e                                 ...i..

 

2022-09-29 05:51:36.138576 npudbg -- 10.47.1.134 -> 10.47.0.157: ESP(spi=0xcb5ac2a8,seq=0x5)

0x0000   04d5 90d5 40d6 0049 7269 2b01 0800 4500        ....@..Iri+...E.

0x0010   0098 0400 0000 3f32 60b4 0a2f 0186 0a2f        ......?2`../.../

0x0020   009d cb5a c2a8 0000 0005 7c96 96e6 f053        ...Z......|....S

0x0030   a5d2 20e9 1f37 2427 dc1b 6d97 3930 b4aa        .....7$'..m.90..

0x0040   3113 9187 3c15 879a 9c48 2ae4 637b a7b5        1...<....H*.c{..

0x0050   4496 728b 9fc3 e921 8386 751f ed56 e4c9        D.r....!..u..V..

0x0060   ef0c f664 0172 9eaa 0ca7 7bd1 80f1 89e1        ...d.r....{.....

0x0070   fe51 d4c1 f44b 810c 420c 5ba2 d0d3 9435        .Q...K..B.[....5

0x0080   3447 63f3 abe6 6fe8 dde0 f5db 412e bf9b        4Gc...o.....A...

0x0090   72fa 8b19 539f 94be db22 cd92 6a0d fddb        r...S...."..j...

0x00a0   e615 a1fb 4763                                 ....Gc

===================================================

 

It is recommended after completing the NP sniffer to stop using the following command :

 

diagnose npu sniffer stop

 

Then, it is possible to run now diag vpn tunnel list to see the details to use and decrypt this packet capture. 

 

Related document:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Decrypt-ESP-packets/ta-p/198431).