FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 198313



This article describes the built-in sniffer tool that can be used to find out the traffic traversing through different interfaces.



The following command is used to trace packets.


diagnose sniffer packet <interface> '<filter>' <level> <count> <tsformat>
<interface>                       <----- Can be 'any' or particular interface such as wan1, port1, etc.
'<filter>'                        <----- Can be 'host', 'port 80', 'host or port 80', 'host and port 80', etc.


<count>                      <----- The number of packets to capture. If 0 or no value is defined, unlimited packets will be capture until ctrl+c is used to stop.
<tsformat>                                 <----- 'a' for absolute UTC time, otherwise relative to the start of sniffing.

Consider two hosts connected to two different FortiGates.

[] Host 1[ port2] FortiGate 1 [ port1]
[] Host 2[ port2] FortiGate 2 [ port1]

This example shows a ping test from host 1 to host 2. Consider two scenarios:

(i) Host reachable
(ii) Host unreachable

Case 1: Host Reachable.

Initially a ping from host1 ( to host2 ( is performed. The ICMP echo request is received on port1 of FortiGate 2. The request is forwarded to port2. An ICMP reply is received from host 2 which is then forwarded to port 1.
Since port 1 receives the ICMP echo request, the reply will be sent out via the same port1.

The output of the sniffer command has been taken on FortiGate 2.
diagnose sniffer packet any "host and host" 4
filters=[host and host]
2.429703 port1 in -> icmp: echo request           <----- Port 1 receives the request from FortiGate 1.
2.429798 port2 out -> icmp: echo request          <----- Port 2 sends out the request to host 2.
2.430238 port2 in -> icmp: echo reply             <----- Port 2 receives the reply from host 2.
2.430277 port1 out -> icmp: echo reply            <----- Port 1 replies back to FortiGate 1.
Case 2: Host Unreachable.

Now a ping from host 1 is sent to a host which is unreachable, port 1 on FortiGate 2 receives the ICMP echo request and forwards the request to port 2 but doesn't receive any response. Port 1 replies back to host 1 about host being unreachable.

diagnose sniffer packet any "host and icmp" 4
2.835286 port1 in -> icmp: echo request                  <----- Port 1 receives the request from FortiGate 1.
2.835400 port2 out arp who-has tell                        <----- ARP request is sent by as it wants to send data but does not know the MAC address of to send it.
No port2 in packet received as host is unreachable.
8.142688 port1 out -> icmp: host unreachable <----- Port1 replies back to FortiGate 1 that host is unreachable.