FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
abarushka
Staff
Staff
Article Id 193813

Description
This article describes how to sniff traffic on hypervisor (ESXi) using pktcap-uw tool.

Scope
For VMware ESXi.

Solution
Many Fortinet products can be run on ESXi hypervisor.
In case of connectivity issue between Fortinet VM and other VM/s it is worth to sniff traffic on hypervisor side in order to isolate the issue.
In order to sniff traffic on ESXi server, it is necessary to perform steps below:

- Enable ssh access on ESXi.
- Ssh to ESXi.
- Run in CLI net-stats -l | grep <VM name> in order to find virtual switchport of the VM.
- In vSphere 6.5 or earlier it is necessary to specify direction of sniffing (either input or output).

- Switchport number for particular VM can be found using net-stats command.
- 'O' defines path where pcap file will be created and specify file name.
- dir specify direction (either input or output):

pktcap-uw --switchport 123 -o /tmp/in.pcap --dir input
pktcap-uw --switchport 123 -o /tmp/out.pcap --dir output

- In vSphere 6.7 or later it is possible to sniff traffic in both directions by setting --dir 2:

pktcap-uw --switchport 123 -o /tmp/both.pcap --dir 2

- Run Ctrl-C in CLI order to stop sniffing.
- Download created pcap file/s over ssh from ESXi.

Contributors