Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Babitha_M
Staff
Staff

Created on ‎05-28-2023 11:00 PM Edited on ‎12-24-2025 04:53 AM By Community Manager

Article Id 258212

Technical Tip: Useful filters for sniffer packet capture

Description This article provides some useful filters that can be used in the sniffer packet.
Scope FortiGate.
Solution

The purpose of the built-in FortiOS packet sniffer is to capture network packets as they are entering (ingressing) and leaving (egressing) FortiGate:

  • To confirm actual flow of packets.
  • Detect packet loss.
  • Verify if the reported issue is caused by FortiGate (check whether FortiGate received the request from the client and the response from the server).
  • Inspect protocol headers and payload.
  • Great for studying purposes too.

Packet captures on FortiOS can be obtained in multiple ways, each with its advantages and limitations:

  • CLI via SSH/console.
  • GUI packet capture.
  • Policy-based packet capture.
  • IPS packet logging.

 

The following command is used to trace the packet via CLI:

 

diagnose sniffer packet <interface> <'filter'> <verbose> <count> <time> 

 

<interface> <----- This interface can be set to any or any specific port.

<'filter'>  <----- What to look for in the information the sniffer reads e.g 'host 8.8.8.8'.

<verbose>   <----- Level can be from 1 - 6.

<count>     <----- The total packets the sniffer captures before halting.

<time>      <----- Timestamps: (a) absolute UTC time, (l) local time of the FortiGate.

 

For example:

 

diagnose sniffer packet any 'host 8.8.8.8' 4 

 

 image.png

 

Below are two filters that are useful while sniffing packets:

 

1. not (!) <----- To exempt any protocol.

2. net     <----- To collect with the whole subnet.

 

To exempt any of the specific protocols, it is possible to use the not(!) command for the same.

 

Here is an example:

 

diagnose sniffer packet any 'host 8.8.8.8 and !icmp' 4 <----- This will omit all the ICMP traffic.

diagnose sniffer packet any 'host 8.8.8.8 and !tcp' 4 <----- This will omit all the TCP traffic.

diagnose sniffer packet any 'host 8.8.8.8 and !udp' 4 <----- This will omit all the UDP traffic.

 

image.png

 

Secondly, it is possible to collect the sniffer packet capture for the whole subnet.

 

Here is the command:

 

diagnose sniffer packet any 'net 172.31.133.0/24' 4 

 

image.png

To stop the sniffer, press Ctrl+C; otherwise, the sniffer will continue running indefinitely.

 

Note:

Temporarily disable the offloading in the Firewall policy level (and/or in IPSec Phase 1 level) that allows the traffic, so all data will be completely captured by the packet sniffer command. Reference link to disable offloading:
 
 
This is an important instruction because the offloaded traffic cannot be picked up by the packet sniffer command, so offloading needs to be temporarily disabled while doing troubleshooting or while using the packet sniffer commands: Checking that traffic is offloaded by NP processors

 

Related article:

Technical Tip: Packet capture (sniffer)
Labels:
17314
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.