Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Rosalyn
Staff
Staff

Created on ‎05-21-2022 04:05 AM Edited on ‎10-23-2025 06:56 AM By Community Manager

Article Id 212727

Troubleshooting Tip: How to use sniffer to confirm the upstream device sending the traffic to the wrong MAC address

Description This article describes how to use sniffer to confirm the upstream device sending the traffic to the wrong MAC address.
Scope

Network Setup:

Workstation -> Layer3 switch -> FortiGate -> Internet.

 

With the sniffer Verbose level 6, the result shows print header and data from ethernet of packets with interface name from CLI.

Alternatively, it is possible to verify the behavior through GUI with help of packet capture by using below:

Network -> Packet Capture.
Solution

To perform a sniffer trace in the CLI, run the following command:

 

diagnose sniffer packet interface "host x.x.x.x " 6 0 l <----- x.x.x.x is the destination IP address.

 

For example, the command can be executed as follows:

 

diagnose sniffer packet wan1 "host 202.165.107.49" 6 0 l

2022-05-21 17:29:41.881685 wan1 -- 116.87.142.237 -> 202.165.107.49: icmp: echo request
0x0000 10f3 1126 c734 04d5 904a 1388 0800 4500 ...&.4...J....E.
0x0010 003c 01d6 0000 7f01 00d0 7457 8eed caa5 .<........tW....
0x0020 6b31 0800 6070 ec01 00ea 6162 6364 6566 k1..`p....abcdef
0x0030 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 ghijklmnopqrstuv
0x0040 7761 6263 6465 6667 6869 wabcdefghi

 

As shown in the output above, '10f3 1126 c734' in the sniffer is the destination MAC address and '04d5 904a 1388' is the source MAC address.

 

The MAC address for the interface can be verified with the following command:

 

FGT # diagnose hardware device info nic wan1

Description :FortiASIC NP6XLITE Adapter
Driver Name :FortiASIC NP6XLITE Driver
Board :61F
lif id :0
lif oid :64
netdev oid :64
Current_HWaddr 10:f3:11:26:c7:31
Permanent_HWaddr 10:f3:11:26:c7:31
========== Link Status ==========
Admin :up
netdev status :up
autonego_setting:0
link_setting :1
speed_setting :1000
duplex_setting :1
Speed :1000
Duplex :Full
link_status :Up

 

The MAC address '10f3 1126 c734' belongs to the wan2 interface and can be verified as follows:


FGT # diagnose hardware device info nic wan2

Description :FortiASIC NP6XLITE Adapter
Driver Name :FortiASIC NP6XLITE Driver
Board :61F
lif id :0
lif oid :64
netdev oid :64
Current_HWaddr 10:f3:11:26:c7:34
Permanent_HWaddr 10:f3:11:26:c7:34
========== Link Status ==========
Admin :up
netdev status :up
autonego_setting:0
link_setting :1
speed_setting :1000
duplex_setting :1
Speed :1000
Duplex :Full
link_status :Up

 

From the outputs above, it is possible to confirm that the switch is holding the wrong MAC address entry and traffic is being received on the wrong interface. To rectify the issue, further troubleshooting needs to be performed on the switch side.
3114
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.