Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
simonz_FTNT
Staff
Staff

Created on ‎06-02-2015 12:02 AM Edited on ‎09-20-2024 07:14 AM By Staff

Article Id 193718

Technical Tip: How to use debug flow and sniffer to capture IPv6 traffic

Description

 

This article explains how to enable a filter in debug flow.

Debug flow may be used to debug the behavior of the traffic in the FortiGate device on IPv6. This article shows the option to capture IPv6 traffic.
 
Scope
 
FortiGate.


Solution

 

CLI command set in Debug flow:
 
diagnose debug flow filter6 {option> {value>
 
The options available are:
 
addr      IPv6 address
clear     Clear filter
daddr     Destination address
dport     Destination port
negate    Inverse IPv6 filter
port      Port number
proto     Protocol number
saddr     Source address
sport     Source port
vd        Index of virtual domain
 
The filters have been defined, the debug flow may be started by issuing the following command:
 
diagnose debug flow trace start6 {number of trace line displayed>
diagnose debug enable
diagnose debug flow filter6 clear
diagnose debug flow filter6 daddr 2001:4860:4860::8888
diagnose debug flow show function-name enable
diagnose debug flow trace start6 999 
 
It should be noted that the number '6' on the command (filter6, start6) represents IPv6: 

 

The following command is used to trace packets.

 

diagnose sniffer packet <interface> '<filter>' <level> <count> <tsformat>
 
<interface>                       <----- Can be 'any' or particular interface such as wan1, port1, etc.
'<filter>'                        <----- Flexible logical filters for sniffer (or "none"). Can be 'host 2001:4860:4860::8888', 'port 80', 'host 2001:4860:4860::8888 or port 443', 'host 2001:4860:4860::8888 and icmp6', or To print UDP 1812 traffic between xx::1 and either xx::2 or xx::3 use 
'udp and port 1812 and host xx::1 and ( xx::2 or xx::3 )'

 

akileshc_0-1644397056844.png

 

<verbose>
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name

 

<count> <----- The number of packets to capture. If 0 or no value is defined, unlimited packets will be captured until ctrl+c is used to stop.

 

<tsformat> Format of timestamp.
a: absolute UTC time, yyyy-mm-dd hh:mm:ss.ms
l: absolute LOCAL time, yyyy-mm-dd hh:mm:ss.ms
otherwise: relative to the start of sniffing, ss.ms

 

di sniffer packet any "host 2001::1" 6 0 l 'frame size'
<frame size>  <----- Set the frame size that is printed before truncation. Defaults to the interface MTU. [Optional Field]

 

The frame size refers to the maximum size of data frames that can be printed before any excess data is cut off (truncated). By default, this size is set to match the Maximum Transmission Unit (MTU) of the interface, which is the largest packet size that can be transmitted over a network interface without fragmentation. Adjusting the frame size allows one to control how much data to view before it gets truncated in output displays. 


To Check the session list of IPV6 traffic use the below commands:

For example, if trying to check for ICMP traffic by filtering source IP:


Commands:


di sys session6 filter src ip

di sys session6 filter proto 1

di sys session6 list

 

Where IP can be 2001:4860:4860:8888.

 

To get specific outputs after entering the required filters, the following commands can be used:

 

      di sys session6
sync                     List session6 sync.
list                        List IPv6 session.
clear                     Clear IPv6 sessions defined by filter.
stat                       Stat session.
full-stat                  Fully stat session.
exp-stat                 Expectation session statistics.
filter List                IPv6 session with filters.
help IPv6              session help.



To check the routing table for a particular IP, the below command is used:

 

get router info6 routing-table ip

 

Other routing table entries, with specific protocol or VRF can be listed with below CLI syntax:
 

get router info6 routing-table 

<X:X::X:X/M>   destination IPv6 address or prefix

vrf                    show IPv6 routing table entries for a single VRF
rip                   show rip routing table entries
ospf                show ospf routing table entries
bgp                 show bgp routing table entries
static              show static routing table entries
connected      show connected routing table entries
isis                  show isis routing table entries
database         show routing information base

 

Related documents:

Debugging the packet flow - FortiGate administration guide

Troubleshooting Tip: Using the FortiOS built-in packet sniffer for capturing packets

Labels:
14717
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.