Symptoms when starting packet capture in the GUI of FortiGate:

1. Packet capture will not start.
2. Packet capture started showing 9 packets done.
3. Packet capture started downloading showing 0 bytes.

Before starting with the troubleshooting process, it must be checked if the firewall policy has the NPU offload disabled, otherwise just the first packets will be shown and after the traffic is offloaded it would appear as the sniffer is no longer working:

config firewall policy

    edit <number of the firewall policy>

        set auto-asic-offload disable
end

For more information about this, see Technical Tip: FortiGate - Disable Hardware Acceleration.

Possible troubleshooting process, starting from the solution, if the issue persists, move to the next solution:

Solution 1: Change to a different browser, clear the cache of the browser, and use a private window.

Solution 2: Kill the HTTPSD using the below command (have local access in case the HTTPSD daemon has an issue):

diagnose sys process pidof httpsd
167
8607

diagnose sys kill 11 167

diagnose sys kill 11 8607

diagnose sys process pidof httpsd 

The alternative command can be used below:

fnsysctl killall httpsd

Solution 3: Delete all the sniffers currently in GUI.

Solution 4: Delete all the sniffers in the FortiGate using the command line, as some sniffers are not showing under GUI when the sniffer has been done using CLI previously, use the below command:

config firewall sniffer 

show

delete 1,2,3,4....

end 

Solution 5: Format log disk, this action will wipe the local disk logs, and ensure that FortiAnalyzer or any other logging store system is available, use this KB article: Technical Tip: Standard procedure to format a FortiGate Log Disk, log backup from disk.

If none of the above solutions fixed the issue, raise the case with TAC for further investigation.