| Description | This article provides some useful filters that can be used in the sniffer packet. |
| Scope | FortiGate. |
| Solution |
The purpose of the built-in FortiOS packet sniffer is to capture network packets as they are entering (ingressing) and leaving (egressing) FortiGate:
The following command is used to trace the packet via CLI:
diagnose sniffer packet <interface> <'filter'> <verbose> <count> <time>
<interface> <----- This interface can be set to any or any specific port. <'filter'> <----- What to look for in the information the sniffer reads e.g 'host 8.8.8.8'. <verbose> <----- Level can be from 1 - 6. <count> <----- The total packets the sniffer captures before halting. <time> <----- Timestamps: (a) absolute UTC time, (l) local time of the FortiGate.
For example:
diagnose sniffer packet any 'host 8.8.8.8' 4
Below are two filters that are useful while sniffing packets:
1. not (!) <----- To exempt any protocol. 2. net <----- To collect with the whole subnet.
To exempt any of the specific protocols, it is possible to use the not(!) command for the same.
Here is an example:
diagnose sniffer packet any 'host 8.8.8.8 and !icmp' 4 <----- This will omit all the ICMP traffic. diagnose sniffer packet any 'host 8.8.8.8 and !tcp' 4 <----- This will omit all the TCP traffic. diagnose sniffer packet any 'host 8.8.8.8 and !udp' 4 <----- This will omit all the UDP traffic.
For example:
Secondly, it is possible to collect the sniffer packet capture for the whole subnet.
Here is the command:
diagnose sniffer packet any 'net 172.31.133.0/24' 4
To stop the sniffer in the end, press 'Ctrl+C', otherwise the Sniffer runs forever.
Related article: |
