Description
This article describes how to perform a wireshark capture to successfully diagnose a traffic problem
Scope
FortiGate.
Solution
Install the latest version of Wireshark.
Example: In this example, a packet capture from a connection to an SMTP server is observed.
- Select the correct network interface.
Launch Wireshark (run as administrator/root for full access).
- In the main window, there is a list of available interfaces (e.g., Ethernet, Wi-Fi, Loopback).
Choose the one where packets enter/exit your machine (often the active one with a graph indicating activity).
Double-click it or select it and proceed to options.
Tip: If unsure, start a quick capture on each to see where the test traffic appears.
- Apply a capture filter to narrow down traffic.
- This prevents overwhelming captures on busy networks. If not possible, skip this and use display filters later. See Wireshark Capture filters.
- Start the capture and reproduce the failing connection.
- Select the blue shark icon
Let it run for 30–60 seconds or until the failure occurs, then stop with the red square button.
Tip: Minimize other network activity (close browsers, pause downloads) to reduce noise.
- Stop the capture and analyze.
- Filter for the SMTP server and port: Use display filter: ip.addr == x.x.x.x && tcp.port == 25 (Replace x.x.x.x with your actual server IP.)
- Check Source and Destination IPs: In the packet list, look at the Source and Destination columns:
- Client -> Server: Outgoing commands (e.g., EHLO, MAIL FROM).
- Server -> Client: Responses (e.g., 250 OK).
- Identify negotiated protocols.
- Starts with TCP 3-way handshake (SYN, SYN-ACK, ACK).
- Then SMTP commands (HELO/EHLO, responses with extensions like AUTH or PIPELINING)
- View exchanged values.
- Select a packet: the Packet Details pane will show commands/responses.
- Recommended step: Right-click an SMTP packet -> Follow -> TCP Stream. This will show full plain-text conversation (commands, email headers, body, and server replies).
