| Description | This article describes the Wireshark Display filters that can be applied to a PCAP file for analysis. |
| Scope | FortiOS. |
| Solution |
The Packet can be captured from the FortiGate CLI or GUI, and using an SSH connection using Putty is preferred.
To collect the capture from the FortiGate CLI, use the command given below:
diagnose sniffer packet any "host 192.168.x.x' 6 0 l
More details about using the Built-in Packet sniffer tool are given in this article: Troubleshooting Tip: Using the FortiOS built-in packet sniffer for capturing packets.
To apply a filter for a specific IP address:
ip.addr == 192.168.x.x
To filter traffic with a specific source IP and destination IP:
ip.src== 192.168.x.x/24 and ip.dst== 209.87.x.x/24
To filter traffic using a logical port filter, an example is given for port 443:
tcp.port == 443
TCP SYN/ACKs to find TCP connection failures and latency issues:
tcp.flags.syn==1 or (tcp.flags.syn==1 and tcp.flags.ack==1)
The significance of this filter is that it will give all the TCP connections, the SYN packet going out, and the corresponding ACK packets coming in.
To follow a TCP stream, select the first SYN header, 'right-click' on that line, and then go to 'Follow', then select TCP or UDP Stream as shown in the screenshot below.
To filter by domain queries on DNS packets:
After collecting the PCAP file from the FortiGate Firewall, the following filters could be applied to make the analysis easier and more accurate. |
