Description
The article describes how to write packets collected through tcpdump to a .pcap file that can later be shared with Fortinet Support to investigate specific issues.
Scope
FortiNAC-F.
Solution
- In the following example, the desired outcome is to enable a Packet capture on the isolation Interface to collect all traffic for a specific Isolated host.
In the FortiNAC-F CLI, enter the following:
execute tcpdump -i any host 192.168.10.1 -w Testfile.pcap
- The packets will be written to a file called Testfile.pcap.
- The Testfile.pcap file will be downloaded to the following path: /home/admin/.
- The files where the packets are written with -w will automatically be saved in the /home/admin/ path.
After recreating the issue, stop the tcpdump at any time with Ctrl+C. At that point, the capture will be closed and stored in the filename specified with the -w option.
- Entering the shell in FortiNAC-F will make it possible to use the SCP protocol to transfer the Testfile.pcap to a path in the local or remote host as follows:
execute enter-shell
scp /home/admin/Test2.pcap user@IP_of_destination:/Location_Folder
For example: assume it is necessary to transfer the file to the local host, which is a Linux host with the IP 192.168.10.1. The user should log in to this host with the 'admin' account. The directory where it is desired to save the PCAP file is /home/user1/Documents
NOTE: WRITE permissions are necessary on the remote host in order to transfer the file.
In this example, the command would be as follows:
execute enter-shell
scp /home/admin/Test2.pcap admin@192.168.10.1:/home/user1/Documents
The different options available for the tcpdump command are explained in the FortiNAC-F CLI reference.
