Description
This article describes that FortiGate's built-in packet sniffer uses libpcap libraries files that are the same as 'TCPdump' in a Linux platform. Earlier FortiOS versions used the default buffer value of 2 MB. In FortiOS 5.6.7 and later, the packet sniffer buffer is increased to 16MB. This is not a limit on the total number of packets captured, rather it limits the capture rate.
When performing packet capture, where the volume of matched packets is high this can cause a packet filter buffer overflow. This will result in some packets matching the filter not being displayed in the output.
When performing packet capture, where the volume of matched packets is high this can cause a packet filter buffer overflow. This will result in some packets matching the filter not being displayed in the output.
diagnose sniffer packet any ‘port 443’ 6 0 l using verbose “6” to perform full packet capture
After pressing 'CTRL'+ 'C' to end the packet capture via CLI, the following output can be seen indicating the packet capture buffer overflow:
The message 'packets dropped by kernel' indicates packets matching the filter that are missing from the output but does not indicate the missing packets were dropped by the firewall.
The message 'packets dropped by kernel' indicates packets matching the filter that are missing from the output but does not indicate the missing packets were dropped by the firewall.
Scope
FortiGate.
Solution
Mitigate the issue by filtering for specific traffic of interest or reducing sniffer verbosity level. Buffer limit is not the only issue that can cause packets to be missing from sthe niffer.
When performing a packet capture, ensure hardware offload is disabled on a test firewall policy configured to match the traffic of interest. See 'Disabling NP offloading for firewall policies' in the Hardware Acceleration Guide.
For examples of filters using CLI, see 'Performing a sniffer trace or packet capture'.
For firmware versions v7.2 and later, GUI packet capture is located under Network -> Diagnostics -> Select 'New Packet Capture'.
When performing a packet capture, ensure hardware offload is disabled on a test firewall policy configured to match the traffic of interest. See 'Disabling NP offloading for firewall policies' in the Hardware Acceleration Guide.
For examples of filters using CLI, see 'Performing a sniffer trace or packet capture'.
For firmware versions v7.2 and later, GUI packet capture is located under Network -> Diagnostics -> Select 'New Packet Capture'.
For firmware versions v6 and v7.0, GUI packet capture is located under Network -> Packet Capture.
For firmware versions 5.0 to 5.2 GUI packet capture is located under System -> Network -> Packet Capture.
For firmware version 4.3, use the option located under System -> Config -> Advanced.
Reducing the verbosity level of the packet capture can limit the number of missing captured packets but capture less information.
diagnose sniffer packet <interface> '<filter>' <verbosity>
Verbosity levels in detail:
1: print header of packets
2: print header and data from IP of packets
3: print header and data from Ethernet of packets
4: print header of packets with interface name
5: print header and data from IP of packets with interface name
6: print header and data from Ethernet of packets with interface name
2: print header and data from IP of packets
3: print header and data from Ethernet of packets
4: print header of packets with interface name
5: print header and data from IP of packets with interface name
6: print header and data from Ethernet of packets with interface name
Related articles:
Troubleshooting Tool: Using the FortiOS built-in packet sniffer
