Description |
This article describes how to split traffic by interface when the packet sniffer is using the 'any' interface when there no SNAT/DNAT in effect. In order to test for packet loss in FortiGate, 'any' is specified as the interface to perform packet sniffing with. |
Scope |
FortiGate. |
Solution |
Topology:
55.55.55.107 <----> (port29) FGT (port25) <----> 33.33.33.106 Traffic => ICMP from 55.55.55.107 to 33.33.33.106
Packet sniffer:
diagnose sniffer packet any 'host 33.33.33.106 and host 55.55.55.107' 6 0 l
2023-11-09 15:13:42.140243 port29 in 55.55.55.107 -> 33.33.33.106: icmp: echo request 2023-11-09 15:13:42.140265 port25 out 55.55.55.107 -> 33.33.33.106: icmp: echo request 2023-11-09 15:13:42.140705 port25 in 33.33.33.106 -> 55.55.55.107: icmp: echo reply 2023-11-09 15:13:42.140717 port29 out 33.33.33.106 -> 55.55.55.107: icmp: echo reply
It is often important to check FortiGate forwards all of the intended packets. However, the packet will show as a duplicate in Wireshark, and it will not be possible to analyze the TCP sequence.
The following method makes it possible to use Wireshark filter to split the traffic only on port 25 or port 29. To analyze the packet, the MAC address is shown below:
55.55.55.107 : 000c 29ef e428 port25 : 906c acc4 1cfe 33.33.33.106 : 000c 29f6 cd06 port29 : 906c acc4 1d02
Note:
DST MAC address == 0000 0000 0001 <- Inbound traffic of the interface.
These are the Wireshark filters to filter the traffic by interface.
To filter traffic only for port29:
=> mac address of 55.55.55.107 and port29 eth.src== 00:0c:29:ef:e4:28 || eth.src== 90:6c:ac:c4:1d:02
To filter traffic only for port25:
=> mac address of 33.33.33.106 and port25 eth.src== 90:6c:ac:c4:1c:fe || eth.src== 00:0c:29:f6:cd:06 |