Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
harshithbn
Staff
Staff

Created on ‎09-11-2017 03:57 AM Edited on ‎04-06-2022 11:24 AM By Anonymous

Article Id 194305

Technical Note: How to collect sniffer captures in each port in FortiSwitch

Description

This article explains how to collect sniffer captures on each port of a Fortiswitch.


Scope

FortiSwitch v3.x or later.


Solution

By default, diag sniffer on internal will only show traffic going to the internal port.

In order to get the sniffer information on each port the following configuration is required:

1) A device should already be connected on the particular port where the sniffer information is required.

2) sflow should be enabled on the same port along with sample-rate set to 1.
 
Packets should now be seen in both directions by using the command

"diagnose sniffer packet sp15"

where 15 is the port number.

To configure
S448DP3X16xxxxxx # config switch interface
S448DP3X16xxxxxx (interface) # edit port15
S448DP3X16xxxxxx (port15) # set sflow-sampler enabled
S448DP3X16xxxxxx (port15) # set sample-rate 1
S448DP3X16xxxxxx (port15) # next
S448DP3X16xxxxxx (interface) # end
S448DP3X16xxxxxx #

To verify
S448DP3X16xxxxxx # diagnose sniffer packet sp15

interfaces=[sp15]
filters=[none]
pcap_lookupnet: sp15: no IPv4 address assigned
1.800889 802.1Q vlan#1 P0 -- 0.0.0.0.68 -> 255.255.255.255.67: udp 548
1.809597 802.1Q vlan#1 P0 -- 0.0.0.0.68 -> 255.255.255.255.67: udp 548
1.817482 802.1Q vlan#1 P0 -- 0.0.0.0.68 -> 255.255.255.255.67: udp 548
1.832318 802.1Q vlan#1 P0 -- arp who-has 10.33.183.69 (ff:ff:ff:ff:ff:ff) tell 10.33.183.69
1.885622 802.1Q vlan#1 P0 -- arp who-has 10.33.183.69 (ff:ff:ff:ff:ff:ff) tell 10.33.183.69
1.933504 802.1Q vlan#1 P0 -- arp who-has 10.33.183.69 (ff:ff:ff:ff:ff:ff) tell 10.33.183.69
1.986039 802.1Q vlan#1 P0 -- arp who-has 10.33.183.69 (ff:ff:ff:ff:ff:ff) tell 10.33.183.69
2.038536 802.1Q vlan#1 P0 -- arp who-has 10.33.183.69 (ff:ff:ff:ff:ff:ff) tell 10.33.183.69
2.092202 802.1Q vlan#1 P0 -- arp reply 10.33.183.69 is-at 0:c:e6:a:be:2e
2.095384 802.1Q vlan#1 P0 -- arp who-has 10.33.183.65 tell 10.33.183.69
2.103995 802.1Q vlan#1 P0 -- 10.33.183.69.2048 -> 10.32.8.9.53: udp 33
2.389462 802.1Q vlan#1 P0 -- 10.33.183.69.2048 -> 10.32.8.9.53: udp 50
2.391457 802.1Q vlan#1 P0 -- Ether type 0x4003 printer havn't been added to sniffer.
^C
14 packets received by filter
0 packets dropped by kernel



 

 

7811
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.