Technical Tip: Packet capture/sniffer on PPPoE interface

ppatel · ‎10-12-2021

Description
This article describes how to run a packet capture or sniffer on a PPPoE interface.

# config system interface

edit "dynamic"

set vdom "root"

set mode pppoe

set distance 10

set allowaccess ping

set role wan

set snmp-index 26

set username "fortinet"

set password ENC

set dns-server-override disable

set interface "wan1"

set vlanid 178

next

end

Solution

Once PPPoE is established a dynamic interface is created 'ppp' (ppp0, ppp1, ppp2 etc.) which is only visible from CLI.

The parent interface 'dynamic' (in this example) can be used in firewall policies, firewall addresses, VIP, policy route etc.

The parent interface 'dynamic' has no IP assigned.

In the GUI no packets will be counted on parent interface 'dynamic'.

The only way to capture packets for PPPoE connection is via CLI with built-in sniffer:

FortiGate-201E # get ro info routing-table database

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

> - selected route, * - FIB route, p - stale info

Routing table for VRF=0

S *> 0.0.0.0/0 [10/0] via 10.109.31.254, wan1

*> [10/0] via 10.109.253.254, ppp1

FortiGate-201E # diag sniffer packet ppp1 "icmp" 4 0 a

interfaces=[ppp1]

filters=[icmp]

2021-10-04 15:36:32.921214 ppp1 in 172.26.61.30 -> 10.109.253.37: icmp: echo request

2021-10-04 15:36:32.921243 ppp1 out 10.109.253.37 -> 172.26.61.30: icmp: echo reply

2021-10-04 15:36:33.932057 ppp1 in 172.26.61.30 -> 10.109.253.37: icmp: echo request

2021-10-04 15:36:33.932071 ppp1 out 10.109.253.37 -> 172.26.61.30: icmp: echo reply

To view the packets in Wireshark, it is necessary to run the sniffer with verbose 6 and use tools to convert to pcap file.

FortiGate-201E # diag sniffer packet ppp1 "icmp" 6 0 a

interfaces=[ppp1]

filters=[icmp]

2021-10-04 15:37:46.141505 ppp1 in 172.26.61.30 -> 10.109.253.37: icmp: echo request

0x0000 0000 0000 0001 0000 0000 0000 0800 4500 ..............E.

0x0010 003c c3d4 0000 7c01 8a21 ac1a 3d1e 0a6d .<....|..!..=..m

0x0020 fd25 0800 4d1b 0001 0040 6162 6364 6566 .%..M....@abcdef

0x0030 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 ghijklmnopqrstuv

0x0040 7761 6263 6465 6667 6869 wabcdefghi

2021-10-04 15:37:46.141530 ppp1 out 10.109.253.37 -> 172.26.61.30: icmp: echo reply

0x0000 0000 0000 0000 0000 0000 0000 0800 4500 ..............E.

0x0010 003c 625b 0000 ff01 689a 0a6d fd25 ac1a .<b[....h..m.%..

0x0020 3d1e 0000 551b 0001 0040 6162 6364 6566 =...U....@abcdef

0x0030 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 ghijklmnopqrstuv

0x0040 7761 6263 6465 6667 6869 wabcdefghi

Consult related articles on how to convert packets from sniffer to pcap file, visible in Wireshark.

Related Articles

Technical Tip: Troubleshooting IPsec VPN tunnel errors with large size packets

Technical Tip: How to import 'diagnose sniffer packet' data to WireShark

Technical Tip: Packet capture/sniffer on PPPoE interface

You are leaving our website