This article describes how to use the built-in packet capture feature in FortiOS from the GUI interface.
On the 5.6 firmware branch, the unit needs a disk and logging to disk has to be enabled.
Since the firmware version 6.0.2, this restriction has been removed.
Here is the Step-by-Step guide to capturing packets from GUI:
- Go to Network -> Packet Capture and create a new filter.
- It's possible to use the following URL to access the packet capture page: https://[management-IP]/ng/page/p/firewall/sniffer/
Substitute the management-IP with the correct IP to access the FortiGate.
- Below shows the Packet Capture interface:
The option to capture the packet based on interface and filter by hosts, ports or VLANs will be proposed.
In the example above 100 packets would be captured based on the selected filters:
IP address 10.205.1.206 and port 80,443 on interface port3.
If 'Enable Filters' is not selected, all packets on the selected interface will be captured.
- Can not select interface as "any" at the time of packet capture.
- Less than or equal to 10,000 packets can be captured in one packet capture filter.
On Fortigate Version 7.2+ this option can be found under : Network > Diagnostics
-Click On Start Capture and you can see live flow of packets
-You can stop the capture and save the file in pcap format, readable by Wireshark