| Description | This article describes how to capture netflow packets and decode with Wireshark to perform further analysis of traffic statistics sent to a netflow collector. |
| Scope | FortiGate, FortiOS. |
| Solution |
When Netflow statistics received in a netflow collector need to be investigated further from the FortiGate side, such as when verifying the number of bytes and packets sent for each session monitored, it is possible to capture this traffic in raw format and decode sFlow packets in Wireshark using the port configured for the netflow collector.
On the FortiGate side, the netflow configuration is shown as below:
config system netflow
If the FortiGate has a hard disk is possible to run traffic capture via GUI; if not, UDP netflow packets are captured with the following command:
diagnose sniffer packet port40 'udp port <netflow_collector_port>' 6 0 a
Note: Replace the UDP port with the right value in the user FortiGate configuration.
Refer to the following articles to convert traffic capture from plaintext into a Wireshark .pcap format: Technical Tip: How to import 'diagnose sniffer packet' data to WireShark Technical Tip: How to import 'diagnose sniffer packet' data to WireShark - Ethereal application
Open the .pcap file from netflow packet capture with Wireshark and go to Analyze -> Decode as:
Apply the filter. Wireshark will decode NetFlow packets for further troubleshooting.
Note: Review the different NetFlow templates details to understand properly the information of these NetFlow packets. See FortiGate 7.6.3 Admin Guide - Netflow Templates |
