Description
This article describes the steps for packet capture on the FortiSandbox.
Scope
FortiSandbox v3.X, v4.X and v5.X.
Solution
FortiSandbox supports the standard 'tcpdump' command:
> tcpdump -ni port1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on port1, link-type EN10MB (Ethernet), capture size 262144 bytes 17:26:23.890308 IP 172.27.14.200.22 > 172.27.2.191.58012: Flags [P.], seq 662919284:662919480, ack
1552586983, win 356, options [nop,nop,TS val 277298891 ecr 1651858921], length 196
17:26:23.890555 IP 172.27.14.200.22 > 172.27.2.191.58012: Flags [P.], seq 196:424, ack 1, win 356,
options [nop,nop,TS val 277298891 ecr 1651858921], length 228
[...]
247 packets captured
247 packets received by filter
0 packets dropped by kernel
It also supports the same filters as a FortiGate:
> tcpdump -ni port1 port 443 and host 172.27.2.191
listening on port1, link-type EN10MB (Ethernet), capture size 262144 bytes 17:29:18.873079 IP 172.27.2.191.58039 > 172.27.14.200.443: Flags [SEW], seq 3581522529, win 65535,
options [mss 1358,nop,wscale 5,nop,nop,TS
To get the output compatible with the eth2pcap tool, additional parameters are needed.
> tcpdump -ni port1 -XXe -s0 –tt ...
An example of eth2pcap tool:
> tcpdump -XXe -s0 -tt -ni port1 port 443 and host 172.27.2.191
