Help
FortiPortal
FortiPortal provides a comprehensive set of security management and analytics within a multi-tenant, multi-tier management framework.
tnesh
Staff & Editor
Staff & Editor

Created on ‎11-05-2023 11:38 PM Edited on ‎03-30-2025 10:05 PM By Community Manager

Article Id 282942

Troubleshooting Tip: How to capture sniffer packet using FortiPortal CLI

Description

 

This article describes how to capture network packets by running sniffer packets CLI commands in FortiPortal.

 

Scope

 

FortiPortal v7.2.1.

 

Solution

 

  1. Starting FortiPortal v7.2.1, it includes a built-in CLI sniffer to use for debugging purposes.
  2. The usage of the sniffer packet CLI command is as below:

 

execute sniffer-packet <port> <filter> <count> <timestamp_format> <verbose>

 

Syntax

Example

port

{port1, port2, port3, port4, any}

filter

{‘port 1812’, ‘port 443 and host 10.10.10.10’, ‘host google.com’, '', …..}

To filter certain port, IP and/or FQDN

Enter '' to capture all packets

count

{10, 15, 100, …..}

Number of packets to capture

timestamp

{a, r}

a: absolute UTC time, yyyy-mm-dd hh:mm:ss.ms

r: relative to the start of sniffing, hh:mm:ss.ms

verbose

{1, 2, 3}

1: print packet header only

2: Print header & data from IP packet

3: Print header and data from ethernet packets (if available)

 

  1. Sample usage of sniffer packet CLI command:
  • ping to fds1.fortinet.com:

 

execute sniffer-packet any 'icmp and host fds1.fortinet.com' 5 r 1
executing sniffer packet on interface any.
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
00:00:00.000000 eth0 Out IP 10.0.0.182 > 208.184.237.66.IDIA-292873-ZYO.zip.zayo.com: ICMP echo request, id 12, seq 0, length 64
00:00:00.184213 eth0 In IP 208.184.237.66.IDIA-292873-ZYO.zip.zayo.com > 10.0.0.182: ICMP echo reply, id 12, seq 0, length 64
00:00:01.000105 eth0 Out IP 10.0.0.182 > 208.184.237.66.IDIA-292873-ZYO.zip.zayo.com: ICMP echo request, id 12, seq 1, length 64
00:00:01.184274 eth0 In IP 208.184.237.66.IDIA-292873-ZYO.zip.zayo.com > 10.0.0.182: ICMP echo reply, id 12, seq 1, length 64
00:00:02.000202 eth0 Out IP 10.0.0.182 > 208.184.237.66.IDIA-292873-ZYO.zip.zayo.com: ICMP echo request, id 12, seq 2, length 64
5 packets captured
12 packets received by filter
0 packets dropped by kernel
fortiportal #

 

  • Check radius server connection via port 1812:

 

execute sniffer-packet port1 'port 1812 and host 10.0.0.244' 5 a 1
executing sniffer packet on interface port1.
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
2023-11-05 05:23:08.293075 IP 10.0.0.182.32667 > 10.0.0.244.1812: RADIUS, Access-Request (1), id: 0x1b length: 48
2023-11-05 05:23:13.294311 IP 10.0.0.182.32667 > 10.0.0.244.1812: RADIUS, Access-Request (1), id: 0x1b length: 48
2023-11-05 05:23:18.295565 IP 10.0.0.182.32667 > 10.0.0.244.1812: RADIUS, Access-Request (1), id: 0x1b length: 48
2023-11-05 05:23:38.158727 IP 10.0.0.182.20752 > 10.0.0.244.1812: RADIUS, Access-Request (1), id: 0x4d length: 48
2023-11-05 05:23:43.170007 IP 10.0.0.182.20752 > 10.0.0.244.1812: RADIUS, Access-Request (1), id: 0x4d length: 48
5 packets captured
6 packets received by filter
0 packets dropped by kernel

 

  • To stop the sniffer in the end, press 'Ctrl+C', otherwise the Sniffer runs forever.
1617
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.