harshithbn
Staff
Staff

Description

This article explains how to collect sniffer captures on each port of a Fortiswitch.


Scope

FortiSwitch v3.x or later.


Solution

By default, diag sniffer on internal will only show traffic going to the internal port.

In order to get the sniffer information on each port the following configuration is required:

1) A device should already be connected on the particular port where the sniffer information is required.

2) sflow should be enabled on the same port along with sample-rate set to 1.
 
Packets should now be seen in both directions by using the command

"diagnose sniffer packet sp15"

where 15 is the port number.

To configure


S448DP3X16xxxxxx # config switch interface
S448DP3X16xxxxxx (interface) # edit port15
S448DP3X16xxxxxx (port15) # set sflow-sampler enabled
S448DP3X16xxxxxx (port15) # set sample-rate 1
S448DP3X16xxxxxx (port15) # next
S448DP3X16xxxxxx (interface) # end
S448DP3X16xxxxxx #

To verify


S448DP3X16xxxxxx # diagnose sniffer packet sp15

interfaces=[sp15]
filters=[none]
pcap_lookupnet: sp15: no IPv4 address assigned
1.800889 802.1Q vlan#1 P0 -- 0.0.0.0.68 -> 255.255.255.255.67: udp 548
1.809597 802.1Q vlan#1 P0 -- 0.0.0.0.68 -> 255.255.255.255.67: udp 548
1.817482 802.1Q vlan#1 P0 -- 0.0.0.0.68 -> 255.255.255.255.67: udp 548
1.832318 802.1Q vlan#1 P0 -- arp who-has 10.33.183.69 (ff:ff:ff:ff:ff:ff) tell 10.33.183.69
1.885622 802.1Q vlan#1 P0 -- arp who-has 10.33.183.69 (ff:ff:ff:ff:ff:ff) tell 10.33.183.69
1.933504 802.1Q vlan#1 P0 -- arp who-has 10.33.183.69 (ff:ff:ff:ff:ff:ff) tell 10.33.183.69
1.986039 802.1Q vlan#1 P0 -- arp who-has 10.33.183.69 (ff:ff:ff:ff:ff:ff) tell 10.33.183.69
2.038536 802.1Q vlan#1 P0 -- arp who-has 10.33.183.69 (ff:ff:ff:ff:ff:ff) tell 10.33.183.69
2.092202 802.1Q vlan#1 P0 -- arp reply 10.33.183.69 is-at 0:c:e6:a:be:2e
2.095384 802.1Q vlan#1 P0 -- arp who-has 10.33.183.65 tell 10.33.183.69
2.103995 802.1Q vlan#1 P0 -- 10.33.183.69.2048 -> 10.32.8.9.53: udp 33
2.389462 802.1Q vlan#1 P0 -- 10.33.183.69.2048 -> 10.32.8.9.53: udp 50
2.391457 802.1Q vlan#1 P0 -- Ether type 0x4003 printer havn't been added to sniffer.
^C
14 packets received by filter
0 packets dropped by kernel



 

 

Contributors