FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lcamilo
Staff
Staff

Description

 

This article demonstrates how to send 'diagnose sniffer packet' output directly to Wireshark for real-time capture and troubleshooting purposes on Windows 10.
The commands below use SSH to connect to the FortiGate back-end and send the sniffer command piping the output to a local file which must be converted using the fgt2eth tool before being sent to Wireshark in the right format.

 

Scope

 

Although this technique is quite simple to use, pre-configure the environment is needed by following the steps below:

  • Download and install Wireshark.
  • Download fgt2eth.12.2014.exe and rename it to fgt2eth.exe. Save it to a local folder like c:\tools for example.
  • Download plink.exe if one doesn't wants to use the Windows native ssh client (optional) Save it to a local folder like c:\tools for example.
  • Configure and deploy ssh RSA keys (optional) - Save .ppk file to c:\tools to simplify the commands.
  • Run the commands for the 1st time to accept and add the ssh fingerprint. This step is required 1 time only per Fortigate.
  • plink.exe -ssh admin@192.168.1.99
  • ssh admin@192.168.1.99

ssh_fingerprint_prompt.png

 

Solution

 

Option 1 - Connect using Windows 10 Native ssh client.

Open an MS-DOS Command prompt and make sure the c:\tools or the folder in which files were saved previously is chosen.
Paste or type the command below:

 

 

(echo diagnose sniffer packet any "not port 22" 3 ) | ssh admin@192.168.1.99 > capture.txt | fgt2eth.exe -in capture.txt -out -

 

 

The capture will only start when the admin password is typed, so the ssh connection can be made.

 

Option 2 - Connect using Windows 10 Native ssh client and RSA keys.
Open an MS-DOS Command prompt and make sure the c:\tools or the folder in which files were saved previously is chosen.
Paste or type the command below:

 

 

(echo diagnose sniffer packet any "not port 22" 3 ) | ssh -i rsakey.ppk -tt admin@192.168.1.99 > capture.txt | fgt2eth.exe -in capture.txt -out -

 

 

The capture will only start when the RSA password is typed, so the ssh connection can be made.

 

Option 3 - Connect using one of the putty tools called plink.exe.
Open an MS-DOS Command prompt and make sure the c:\tools or the folder in which files were saved previously is chosen.
Paste or type the command below:

 

 

plink.exe -ssh -batch -pw yourpassword admin@192.168.1.99 "diagnose sniffer packet any 'not port 22' 3" > capture.txt | fgt2eth.exe -in capture.txt -out -

 

 

Option 4 - Connect using the plink tool and RSA keys.
Open an MS-DOS Command prompt and make sure the c:\tools or the folder in which files were saved previously is chosen.
Paste or type the 2 lines of commands below on separated windows.
Command prompt 1  

 

 

plink.exe -ssh -i rsakey.ppk admin@192.168.1.99 "diagnose sniffer packet any 'not port 22' 3" > capture.txt

 

 

Command Prompt 2  

 

 

fgt2eth.exe -in capture.txt -out -

 

 

Stopping the Capture:

To stop the chained commands, start by stopping Wireshark and save the capture if needed. 

After stopping the Wireshark process, press 'Ctrl+C' in the MS-DOS Command prompt. 

Finally, close the MS-DOS Command prompt window to stop any pending activities. 

 

Caveats:
The commands above assume user is 'admin' so replace it as per users environment.

The commands above assume FortiGate's admin IP is 192.168.1.99, so replace it as required. 
The commands above use the tcpdump filter 'not port 22' which intends to filter out the ssh connection. Replace it as required.

If the capture is stopped, it'll stop the chained process and starting a new capture will be necessary. 

When troubleshooting packet loss or performance issues, plan to connect ssh session to a healthy interface. 

 

Related Articles: 

Contributors