FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pkungatti_FTNT
Description
 
This article describes one of the troubleshooting options available in FortiGate CLI to check the traffic flow, by capturing packets reaching the FortiGate unit. 
For capturing these packets through GUI, this article here may offer guidance. 
However, note that GUI capture has some limitations.
 
Scope
 

FortiGate, all FortiOS versions
other Fortinet appliances providing a CLI sniffer : FortiAnalyzer - FortiMail - FortiManager

 

 
AlexCFTNT_0-1639400387548.png

 

Content: Packet sniffer - basics
 
Basic packet-capture commands
-Example 1: Simple trace
-Example 2: Simple trace
 
Filter Functionality
-Example 3 : Trace with filters
-uncommon scenarios 
 

Sniffer Basics

The packet sniffer "sits" in the FortiGate and can display the traffic on a specific interface or on all interfaces. There are three different levels of Information, also known as

Verbose Levels 1 to 3, where verbose 1 shows less information and verbose 3 shows the most.

Verbose Levels 4, 5 and 6 would additionally provide the interface details
 
Verbose levels in detail:
 
1: print header of packets
2: print header and data from IP of packets
3: print header and data from Ethernet of packets
4: print header of packets with interface name
5: print header and data from IP of packets with interface name
6: print header and data from Ethernet of packets with interface name
This article walks through some examples and different levels of verbosity to show the different possibilities for debugging.
 
Basic sniffing command

All packet sniffing (packet capture) commands start like:

 
# diag sniffer packet <interface> <'filter'> <verbose> <count> a

<interface> can be an interface name or "any" for all interfaces

<'filter'> is a very powerful filter functionality which will be described in more detail

<verbose> means the level of verbosity as described already

<count> the number of packets the sniffer reads before stopping.

a – timestamps the packets with the absolute UTC time

l - (small letter L) timestamps the packets with LOCAL time on the unit

(blank/no letter) – relative to the beginning of the capture

Note: for parallel captures on multiple interfaces/SSH sessions on Fortigate, please use “a” or “l”, do not leave blank

 

Note: in certain cases, where the unit has the capability and the session can be handled by a dedicated processor, the session is offloaded from kernel, making it impossible to capture these packets. In this case, you can turn off the offloading in the policy that matches the traffic with “set auto-asic-offload disable” for troubleshooting purposes only, and revert to the initial state after the capture.

 

Example 1: Simple sniffer

Sniff 3 packets of all traffic with verbose Level 4 on wan1 Interface

 

# diag sniffer packet wan1 none 1 3

interfaces=[wan1]

filters=[none]

0.996031 arp who-has 10.109.19.70 tell 10.109.31.254

1.310085 10.109.16.137.80 -> 172.26.48.21.56361: fin 3133701817 ack 1838214099

1.310648 172.26.48.21.56361 -> 10.109.16.137.80: ack 3133701818

As you can see we caught an arp packet and some communication end. Because the 10.109.16.137 IP Address uses Port 80 (10.109.16.137.80) we can assume that we've caught some packets from a running HTTP session. The "none" variable means 'no filter applied', "1" means 'verbose 1' and "3" means 'catch 3 packets and stop'.

Note that there is no timestamp switch at the end, therefore the first packet was received after 0.996031 seconds since the command was issued

 
Example 2: Simple Trace
 
Sniff 3 packets of all traffic with verbose Level 4 on wan1 interface.
# diag sniffer packet wan1 none 4 3

    0.455401 wan1 -- 172.26.48.21.55992 -> 10.109.16.137.80: syn 1906363376

    0.455490 wan1 -- 10.109.16.137.80 -> 172.26.48.21.55992: syn 1423685325 ack 1906363377

    0.456892 wan1 -- 172.26.48.21.55993 -> 10.109.16.137.80: ack 123332141


Apparently we caught some more interesting information, just when a TCP session was being set up. 172.26.48.21 tries to connect to 10.109.16.137 on Port 80 with a syn and gets a syn ack back. Finally, the session is acknowledged and established after the 3-way TCP handshake.

 

With information level set to Verbose 4, we see additionally a summary of Source and Destination IP Address.

 

If you don't enter a <count> value, the Sniffer runs forever until you stop it with <CTRL C>

 

Hint: For further investigation it's always a good idea to log the SSH output to a file. If you're using Putty (a free SSH client for Windows) you can easily log all output to a file which you can search/sort/process.

 

Verbose 5 and Verbose 6 levels:

 

Verbose 5 contains much more information

  1. The IP Header as we've already seen in Verbose 4
  2. The Payload of the IP packet itself

 

An output of Verbose 5 looks like this:

# diag sniffer packet any none 5 1

interfaces=[any]

filters=[none]

0.529129 wan1 in 10.109.19.165.137 -> 10.109.31.255.137: udp 50

0x0000   4500 004e 153b 0000 8011 dce6 0a6d 13a5        E..N.;.......m..

0x0010   0a6d 1fff 0089 0089 003a a7b6 8db5 0110        .m.......:......

0x0020   0001 0000 0000 0000 2045 4745 5046 4346        .........EGEPFCF

0x0030   4545 4a45 4f45 4646 4543 4e46 4145 4443        EEJEOEFFECNFAEDC

0x0040   4143 4143 4143 4143 4100 0020 0001             ACACACACA.....

 

Notice the in/ out parameter after wan1 interface that will confirm the direction of the packet entering or leaving the interface.

 

Verbose 6, finally, even includes Ethernet (Ether Frame) Information. A script is available (fgt2eth.pl), which will convert a captured verbose 6 output, into a file that can be read and decoded by Ethereal/Wireshark. See the end of this article for details.

 

Use of absolute time stamp in sniffer trace will report the absolute system time (no time zone) in packet summary:

 

# diag sniffer packet wan1 none 4 2 a

interfaces=[wan1]

filters=[none]

2019-08-16 09:36:02.570320 wan1 -- arp who-has 10.109.16.153 tell 10.109.16.152

2019-08-16 09:36:02.663102 wan1 -- 172.26.48.21.64241 -> 10.109.16.137.80: fin 2427687875 ack 3609408424

 

Hint: Below is the format that Technical Support will usually request when attempting to analyze a problem as it includes full packet content, as well as absolute time stamp, in order to correlate packets with other system events.

 

# diag sniffer packet any <'filter'> 6 0 a

Filter Functionality

As already mentioned, diag sniffer includes a powerful filter functionality that will be described here.

 

FortiOS gives a brief example:

 

diag sniffer packet any

<filter>    Flexible logical filters for sniffer (or "none").

For example:  To print UDP 1812 traffic between forti1 and either forti2 or forti3

'udp and port 1812 and host forti1 and ( forti2 or forti3 )'

 

If a second host is specified, only the traffic between the 2 hosts will be displayed.

 

Imagine you only want to capture the traffic from one PC to another PC.

Without a filter the sniffer will display all packets, which is far too much data and quite painful to sort and debug a large file.

 

Example 3: Trace with Filters

 

To see what's going on between two PCs (or a PC and a FortiGate), don't forget the quotes delimiting the filter expressions:

 

diag sniffer packet wan1 'src host 10.109.16.137 and dst host 172.26.48.21' 1 3

interfaces=[wan1]

filters=[src host 10.109.16.137 and dst host 172.26.48.21]

1.453488 10.109.16.137.80 -> 172.26.48.21.61776: syn 3263501252 ack 507821611

1.454138 10.109.16.137.80 -> 172.26.48.21.61776: ack 507822560

1.457612 10.109.16.137 -> 172.26.48.21: icmp: echo reply

 

Assuming there is a lot of traffic on the wire, this filter command will only display traffic (but all traffic) from Source 10.109.16.137 to Destination 172.26.48.21. It will NOT show traffic to 10.109.16.137 (for example the ICMP reply) because we asked for 'src host’ and ‘dst host'.

Note: when “src” and “dst” are used, “host” word is optional, and is applied by default.

You can also use “net” as keyword for a broader result:

diag sniffer packet wan1 'src 10.109.16.137 and net 172.26.48.0/20' 1 3

However, when filtering for the both ways of communication, we must either use “host” or “net” keywords:

diag sniffer packet wan1 'host 10.109.16.137 and host 172.26.48.0/20' 1 3

 

If we're interested only in a specific type of traffic (let's say TCP Traffic only) we need to change our filter command slightly:

 

diag sniffer packet wan1 'src 10.109.16.137 and tcp' 1 3

interfaces=[wan1]

filters=[src 10.109.16.137 and tcp]

1.729308 10.109.16.137.80 -> 172.26.48.21.62137: ack 4024820721

1.729541 10.109.16.137.80 -> 172.26.48.21.62139: syn 3670899298 ack 1522348774

1.730308 10.109.16.137.80 -> 172.26.48.21.62139: ack 1522349665

 

Though ICMP (ping) was also running and probably some DNS requests too, the trace only shows the TCP part. As we can see the Source is: 10.109.16.137.80 which is IP 10.109.16.137 on Port 80. Apparently, we found an HTTP session to 10.109.16.137.

 

The same the other way around (using here ‘host’ we can see the traffic both ways):

 

diag sniffer packet any 'host 10.109.16.137 and host 172.26.48.21' 1 5

interfaces=[any]

filters=[host 10.109.16.137 and host 172.26.48.21]

1.182532 172.26.48.21.55585 -> 10.109.16.137.80: syn 3194317969

1.182598 10.109.16.137.80 -> 172.26.48.21.55585: syn 2863972551 ack 3194317970

1.183166 172.26.48.21.55585 -> 10.109.16.137.80: ack 2863972552

1.183360 172.26.48.21.55585 -> 10.109.16.137.80: psh 3194317970 ack 2863972552

1.183406 10.109.16.137.80 -> 172.26.48.21.55585: ack 3194318935

 

In this example we're sniffing for ICMP only, to and from 10.109.16.137

 

diag sniffer packet any 'host 10.109.16.137 and icmp' 1 30

interfaces=[any]

filters=[host 10.109.16.137 and icmp]

16.866489 172.26.48.21 -> 10.109.16.137: icmp: echo request

16.866581 10.109.16.137 -> 172.26.48.21: icmp: echo reply

 

Another useful feature is logical combination. Let us assume you want to check for ICMP and TCP only (but not for UDP, ARP, etc). You can combine protocols in the following manner. This sniff will display all tcp or icmp traffic to and from host 10.109.16.137, in verbose 1 level.

 

diag sniffer packet wan1 'host 10.109.16.137 and (icmp or tcp)' 1 4

interfaces=[wan1]

filters=[host 10.109.16.137 and (icmp or tcp)]

0.748627 172.26.48.21 -> 10.109.16.137: icmp: echo request

0.748681 10.109.16.137 -> 172.26.48.21: icmp: echo reply

1.138054 172.26.48.21.55741 -> 10.109.16.137.80: fin 1192893176 ack 3520420646

1.138313 172.26.48.21.55742 -> 10.109.16.137.80: syn 3309427492

 

Now we are going to limit the sniffer even more.

We want to sniff traffic between 2 hosts, but only TCP and only port 80.

 

diag sniffer packet wan1 'host 10.109.16.137 and host 172.26.48.21 and tcp port 80' 1 3

interfaces=[wan1]

filters=[host 10.109.16.137 and host 172.26.48.21 and tcp port 80]

2.120582 10.109.16.137.80 -> 172.26.48.21.55816: fin 430415930 ack 3124927915

2.120994 172.26.48.21.55816 -> 10.109.16.137.80: ack 430415931

2.124248 172.26.48.21.55816 -> 10.109.16.137.80: fin 3124927915 ack 430415931

 

A logical "and" is used in this command between 10.109.16.137 and 172.26.48.21 so that only packets containing both these host addresses will be seen. Even if telnet and ssh is running between the two hosts, we only see port 80 TCP traffic.

 

Uncommon scenarios

 

Filters can also be used to display packets based on their content, using hexadecimal byte position.

 

Match TTL = 1

diagnose sniffer packet any "ip[8:1] = 0x01"

 

Match Source IP address = 192.168.1.2:

diagnose sniffer packet wan1 "(ether[26:4]=0xc0a80102)"

 

Match Source MAC = 00:09:0f:89:10:ea

diagnose sniffer packet any "(ether[6:4]=0x00090f89) and (ether[10:2]=0x10ea)"

 

Match Destination MAC = 00:09:0f:89:10:ea

diagnose sniffer packet any "(ether[0:4]=0x00090f89) and (ether[4:2]=0x10ea)"

 

Match ARP packets only

diagnose sniffer packet wan1 "ether proto 0x0806"

 

TCP or UDP flags can be addressed using the following:

 

Match packets with RST flag set:

diagnose sniffer packet wan1 "tcp[13] & 4 != 0"

Match packets with SYN flag set:

diagnose sniffer packet wan1 "tcp[13] & 2 != 0"

 

Match packets with SYN-ACK flag set:

# diagnose sniffer packet wan1 "tcp[13] = 18"

 

Match HA heartbeat packets only

# diagnose sniffer packet ha1 "ether proto 0x8890"

more types: https://kb.fortinet.com/kb/documentLink.do?externalID=FD41407

 

Sniffer for VLAN traffic

This is a common scenario, where the VLAN interface is used instead of the interface name in the command line. For example, sniffing the traffic for host 11.11.11.9 in the VLAN interface “vlan206”, the command would be:

 

# diag sniffer packet any "host 11.11.11.9" 4 0

interfaces=[any]

filters=[host 11.11.11.9]

1.774584 vlan206 in 11.11.11.9 -> 11.11.11.1: icmp: echo request

1.774642 vlan206 out 11.11.11.1 -> 11.11.11.9: icmp: echo reply

1.774648 dmz out 11.11.11.1 -> 11.11.11.9: icmp: echo reply

 

# diag sniffer packet vlan206 "host 11.11.11.9" 4 0

interfaces=[vlan206]

filters=[host 11.11.11.9]

0.968800 vlan206 -- 11.11.11.9 -> 11.11.11.1: icmp: echo request

0.968858 vlan206 -- 11.11.11.1 -> 11.11.11.9: icmp: echo reply

1.982626 vlan206 -- 11.11.11.9 -> 11.11.11.1: icmp: echo request

1.982683 vlan206 -- 11.11.11.1 -> 11.11.11.9: icmp: echo reply

 

Note that when the vlan206 interface is used as filter, the underlying physical interface is not shown in the capture.

Also, when capturing the traffic with Verbose 6 (to see the contents of the packet), the VLAN tag is stripped when the filter is run on the vlan interface or “any” interface.

 

To capture the vlan tag in a packet capture, the sniffer must be run on the underlying physical interface. In this situation, the filters can’t be used:

 

# diag sniffer packet dmz none 6 0

interfaces=[dmz]

filters=[none]

pcap_lookupnet: dmz: no IPv4 address assigned

0.981174 dmz -- 802.1Q vlan#206 P0

0x0000   d4be d99c 02f9 085b 0e37 ef37 8100 00ce        .......[.7.7....

0x0010   0800 4500 0040 3f4a 4000 7406 d33f d992        ..E..@?J@.t..?..

0x0020   0488 0b0b 0b09 0050 c131 ab2a 473b 1fb3        .......P.1.*G;..

0x0030   bc14 5018 0401 8da5 0000 1130 1b00 0000        ..P........0....

0x0040   0000 1f00 0000 1c00 0000 1b00 0000 1800        ................

0x0050   0000                                           ..

 
 

Also attached is the fgt2eth.pl script that will convert a verbose level 3 or 6 sniffer output, into a file readable and decodable by Ethereal/Wireshark.

 

The fgt2eth.exe file is also attached to this article, this file is outdated and is not supported but may provide some guidance.

Note: The attached script is provided "as is", it is not supported by Technical Support.

 

Related Articles

Troubleshooting Tip : First steps to troubleshoot connectivity problems to or through a FortiGate wi...

Troubleshooting Tip: Using the FortiGate sniffer on VLAN interfaces

Troubleshooting Tip: Packet capture (CLI sniffer) tips and best practices

Technical Note : How To Troubleshoot Wireless Station Connection Issues on the FortiAP

Technical Note: Packet capture buffer limit