Description

This article explains why the 'diagnose sniffer packet any' command may display incorrect destination MAC addresses such as 00:00:00:00:00:00 instead of the next hop MAC address.

Scope

FortiGate.

Solution

To identify if traffic is reaching the next hop, packet capture can be taken to examine the destination MAC address when traffic exits the FortiGate.

Run the following capture:

diagnose sniffer packet any 'host 8.8.8.8 and icmp' 6 0 l

displays 00:00:00:00:00:00 in the destination MAC address field instead of the next hop MAC address.

Here the traffic is leaving out of FortiGate port1 towards the destination 8.8.8.8 but the destination MAC address is not showing the next hop device.

For a specified interface, such as ethx or a VLAN interface, libpcap provides both source and destination MAC addresses.

However, when capturing traffic on the 'any' interface, libpcap does not support displaying MAC addresses because it uses the SLL (Linux cooked-mode capture) structure in the same position for further processing.

As a result, monitoring tools that rely on libpcap, including sniffer and tcpmon, are unable to display MAC addresses unless a specific interface is defined: https://wiki.wireshark.org/SLL

Take the same sniffer with specifying the interface port1:

diagnose sniffer packet port1 'host 8.8.8.8 and icmp' 6 0 l

The Destination MAC address is now, clearly visible.