|
There are 2 options how to sniff traffic on FortiProxy:
GUI:
Navigate to GUI: Network -> Diagnostics -> Select interface and apply filters if necessary and hit the Start Capture button:
CLI:
Syntax of the command:
diagnose sniffer packet <interface> <'filter'> <verbosity> <count> <timestamps>
interface - specify interface or sniff on all interfaces ("any")
filter - can filter particular host, port, etc.
verbosity - how much information will be collected (the higher the number the more information will be collected)
count - how many packets will be sniffed ("0" - unlimited)
timestamps - absolute UTC time ("a") or absolute local time ("l")
To stop the sniffer after use, press Ctrl + C. Otherwise, it will run indefinitely.
For instance: the 'diagnose sniffer packet any 'port 443' 6 0 a' command will sniff an unlimited number of packets with absolute UTC timestamps on all interfaces using port 443 as filter with verbosity 6.
The limitation:
For the CLI sniffer, there is a possibility to truncate with many packets labeled as 'TCP ACKed unseen segment' or 'TCP Previous segment not captured' when the FortiProxy receives too many packets, whereas the GUI packet capture does not.
The two different mechanisms for the CLI sniffer and the GUI packet capture, such as sniffer parameters, sniffer output rate, and performance optimization techniques, introduce the limitation in packet processing.
Related article:
Technical Tip: FortiProxy debug flow
|
