Description

The article describes how to write packets collected through tcpdump to a .pcap file that can later be shared with Fortinet Support to investigate specific issues.

Scope

FortiNAC-F.

Solution

1. In the following example, the desired outcome is to enable a Packet capture on the isolation Interface to collect all traffic for a specific Isolated host.

In the FortiNAC-F CLI, enter the following:

execute tcpdump -i any host 192.168.10.1 -w Testfile.pcap

• The packets will be written to a file called Testfile.pcap. 
• The Testfile.pcap file will be downloaded to the following path: /home/admin/.
• The files where the packets are written with -w will automatically be saved in the /home/admin/ path.

After recreating the issue, stop the tcpdump at any time with Ctrl+C. At that point, the capture will be closed and stored in the filename specified with the -w option.

2. Entering the shell in FortiNAC-F will make it possible to use the SCP protocol to transfer the Testfile.pcap to a path in the local or remote host as follows:

execute enter-shell
scp /home/admin/Test2.pcap user@IP_of_destination:/Location_Folder

For example: assume it is necessary to transfer the file to the local host, which is a Linux host with the IP 192.168.10.1. The user should log in to this host with the 'admin' account. The directory where it is desired to save the PCAP file is /home/user1/Documents.

Note: WRITE permissions are necessary on the remote host to transfer the file.

In this example, the command would be as follows:

execute enter-shell

scp /home/admin/Test2.pcap admin@192.168.10.1:/home/user1/Documents

The different options available for the tcpdump command are explained in the FortiNAC-F CLI reference.

Related article:

Technical-Tip-Useful-CLI-commands-in-FortiNAC-OS.
Technical-Tip-FileTransfer-with-TFTP-for-FortiNAC-F.