| Description | This article describes how to use advanced filtering in packet sniffer to collect fragmented packets only. |
| Scope | FortiGate. |
| Solution |
High fragmentation rates are a well-known point of concern while investigating performance issues on FortiGate and in some cases it is useful to collect this traffic to understand the source of fragmentation and solve it.
Command 'diagnose sniffer packet' supports advanced tcpdump filtering syntax, so to filter fragmented traffic, use the below command to collect all the fragments of the packet (including the last)
diagnose sniffer packet any '((ip[6:2] > 0) and (not ip[6] = 64))' <level> <packet count limit> <ts format>
Example:
diagnose sniffer packet any '((ip[6:2] > 0) and (not ip[6] = 64))' 4 0 a
To explain this syntax, focus on the IP header bytes:
Every line is 4 bytes long and it starts counting from 0, so to filter DF, MF, and Fragment Offset, is is necessary to focus on bytes 7th and 8th. So the syntax ip[6] is filtering the 7th byte which is the Flags header (3 bits long) + 5 bits of the Fragment offset field (13 bits long).
It can be helpful to visualize the bytes like this:
byte 7th byte 8th
As said earlier, the first 3 bits of byte 7th are the Flags fields --> first bit is reserved and it is always 0, the second bit is DF, the third bit is MF, when DF or MF are set in binary it is:
01000000 = 64 <----- DF bit. 00100000 = 32 <----- MF bit.
Finally to explain the filter to capture all the fragments:
not ip[6] = 64 <----- Excluding all the packets with DF bit set. ip[6:2] > 0 <----- :2 means offset 2 bytes, so bytes 7th and 8th must be greater than 0.
In this way, it is possible to collect all packets with the MF set or with any fragmentation offset set and exclude all the packets with with DF set. |
