Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vrajendran
Staff
Staff

Created on ‎11-03-2009 08:16 AM Edited on ‎08-15-2024 10:37 AM By Moderator

Article Id 195974

Troubleshooting Tip: Using the FortiGate sniffer on VLAN interfaces

Description

 
This article describes how to use the FortiGate sniffer on VLAN interfaces.

The following example is based on a FortiGate with 2 VLANs attached to the interface wan1, as well as an IP address on the physical interface itself.
 
config system interface
    edit "wan1"
        set ip 10.140.0.106 255.255.254.0
        set type physical
    next
    edit "VLAN18"
        set ip 192.168.182.106 255.255.254.0
        set interface "wan1"
        set vlanid 18
    next
    edit "VLAN224"
        set ip 172.31.224.106 255.255.254.0
        set interface "wan1"
        set vlanid 224
    next
end
 
Scope
 
FortiGate.


Solution

 

  1. Looking for the tagging information in the sniffer capture.

To see the tagging information in the sniffer trace, there must be no packet filter in the sniffer command.

  • Example of a command without packet filter:

 

diagnose sniffer packet wan1 ""

 

  • Example of a command with a packet filter:

 

diagnose sniffer packet wan1 "icmp or arp"

 

     1.1 Capturing all tagged and non-tagged packets on wan1, low verbosity

diagnose sniffer packet wan1 ""

 

0.180038 arp who-has 10.140.0.234 tell 10.140.0.106
0.553565 802.1Q vlan#18 P0
1.553430 802.1Q vlan#18 P0
2.180040 arp who-has 10.140.0.234 tell 10.140.0.106
2.553224 802.1Q vlan#18 P0
3.180030 arp who-has 10.140.0.234 tell 10.140.0.106
3.553216 802.1Q vlan#18 P0
4.180028 arp who-has 10.140.0.234 tell 10.140.0.106
4.553062 802.1Q vlan#18 P0
4.553127 802.1Q vlan#224 P0


Reading the trace:

  • The arp packets are sent on the physical interface level on the configured subnet (10.140.0.x), and untagged (no 802.1Q mentioned).
  • Some tagged frames are received or sent on the VLAN interfaces VLAN18 and VLAN224, these are the lines with the 802.1Q information.

     1.2 Capturing all tagged and non-tagged packets on wan1 , high verbosity (full packet content)

To see the full content of all packets on wan1 (tagged and non-tagged), the following command can be used:


diagnose sniffer packet wan1 "" 3

 

1.028118 802.1Q vlan#18 P0
0x0000 0009 0f09 3204 0009 0f30 29e4 8100 0012 ....2....0).....
0x0010 0800 4500 003c 6c5d 0000 ff01 6bcb c0a8 ..E..<l]....k...
0x0020 b66a c0a8 abdc 0000 b257 0600 9d04 6162 .j.......W....ab
0x0030 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 cdefghijklmnopqr
0x0040 7374 7576 7761 6263 6465 6667 6869 stuvwabcdefghi

2.180036 arp who-has 10.140.0.234 tell 10.140.0.106
0x0000 ffff ffff ffff 0009 0f30 29e4 0806 0001 .........0).....
0x0010 0800 0604 0001 0009 0f30 29e4 0a8c 006a .........0)....j
0x0020 0000 0000 0000 0a8c 00ea ..........

3.028048 802.1Q vlan#224 P0
0x0000 0019 b9f8 e7e9 0009 0f30 29e4 8100 00e0 .........0).....
0x0010 0800 4500 003c 6c60 0000 ff01 5651 ac1f ..E..<l`....VQ..
0x0020 e06a c0a8 abdc 0000 b057 0600 9f04 6162 .j.......W....ab
0x0030 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 cdefghijklmnopqr
0x0040 7374 7576 7761 6263 6465 6667 6869 stuvwabcdefghi

 

Reading the trace:

 

  • The arp packets are still sent on the physical interface level on the configured subnet (10.140.0.x), and untagged (no 802.1Q mentioned). Ethertype is 0x0806.
  • The tagged frames are now showing the 802.1Q field : 8100 0012 or 8100 00e0, where 0012 and 00e0 are the VLAN numbers in HEX (18 and 224).

 

  1. Capturing traffic for a specific VLAN ID on a specific interface.

Assume WAN1 has several VLAN IDs passed on it.

To capture only VLAN ID 18 traffic on wan1 run below sniffer.

 

diag sniffer packet wan1 "ether[14:2]=0x0012" 6 0 l

 

Run the below sniffer to capture both VLAN ID 18 and VLAN ID 224 traffic on wan1.

 

diag sniffer packet wan1 "ether[14:2]=0x0012 or ether[14:2]=0x00e0" 6 0 l

 

0x0012 is hexadecimal representation of VLAN ID 18
0x00e0 is hexadecimal representation of VLAN ID 224

 

Likewise, traffic for any specific VLAN ID can be captured using its hexadecimal value in the above sniffer filter.

 

  1. Capturing traffic on a specific VLAN interface

To capture the traffic on a specific VLAN interface, use the same sniffer command as for physical interfaces, knowing that the VLAN tag information is not displayed regardless of whether a packet filter is used.



diagnose sniffer packet VLAN18 "" 3

 

0.963022 192.168.171.220 -> 192.168.182.106: icmp: echo request
0x0000 0009 0f30 29e4 0009 0f09 3204 0800 4500 ...0).....2...E.
0x0010 003c 992c 0000 7e01 bffc c0a8 abdc c0a8 .<.,..~.........
0x0020 b66a 0800 4554 0600 0208 6162 6364 6566 .j..ET....abcdef
0x0030 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 ghijklmnopqrstuv
0x0040 7761 6263 6465 6667 6869 wabcdefghi

 

To verify VLAN tags are coming from the switch, sniff for all tags on the WAN1 port:

 

diag sniffer packet wan1 “vlan” 4 0 l

 

If more packet details are required:

 

diag sniffer packet wan1 “vlan” 6 0 l

 

Related articles:

Technical Tip: How to create a VLAN tagged interface (802.1q) on a FortiGate - tagged/untagged traff...

Troubleshooting Tool: Using the FortiOS built-in packet sniffer

34814
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.