Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
harshithbn
Staff
Staff

Created on ‎09-11-2017 03:57 AM Edited on ‎07-14-2024 02:45 AM By Community Manager

Article Id 194305

Technical Tip: How to collect sniffer captures in each port in FortiSwitch

Description

 

This article describes how to collect sniffer captures on each port of a FortiSwitch.


Scope

 
FortiSwitch v7.x or later.


Solution

 

By default, the diag sniffer on internal will only show traffic going to the internal port.

To get the sniffer information on each port the following configuration is required:

 

  1. A device should already be connected to the particular port where the sniffer information is required.
  2. sflow should be enabled on the same port along with sample-rate set to 1.
 
Packets should now be seen in both directions by using the following command:
 
diagnose sniffer packet sp15

In the above, 15 is the port number.

To configure:
 
config switch interface
edit port15
set packet-sampler enabled
set packet-sample-rate 1
next
end
 
Note:
This will only show ingress packets on the specific interface, the only exception is ARP packets will see both directions as the internal switch will see them.

To verify:
 
diagnose sniffer packet sp15

interfaces=[sp15]
filters=[none]
pcap_lookupnet: sp15: no IPv4 address assigned
1.800889 802.1Q vlan#1 P0 -- 0.0.0.0.68 -> 255.255.255.255.67: udp 548
1.809597 802.1Q vlan#1 P0 -- 0.0.0.0.68 -> 255.255.255.255.67: udp 548
1.817482 802.1Q vlan#1 P0 -- 0.0.0.0.68 -> 255.255.255.255.67: udp 548
1.832318 802.1Q vlan#1 P0 -- arp who-has 10.33.183.69 (ff:ff:ff:ff:ff:ff) tell 10.33.183.69
1.885622 802.1Q vlan#1 P0 -- arp who-has 10.33.183.69 (ff:ff:ff:ff:ff:ff) tell 10.33.183.69
1.933504 802.1Q vlan#1 P0 -- arp who-has 10.33.183.69 (ff:ff:ff:ff:ff:ff) tell 10.33.183.69
1.986039 802.1Q vlan#1 P0 -- arp who-has 10.33.183.69 (ff:ff:ff:ff:ff:ff) tell 10.33.183.69
2.038536 802.1Q vlan#1 P0 -- arp who-has 10.33.183.69 (ff:ff:ff:ff:ff:ff) tell 10.33.183.69
2.092202 802.1Q vlan#1 P0 -- arp reply 10.33.183.69 is-at 0:c:e6:a:be:2e
2.095384 802.1Q vlan#1 P0 -- arp who-has 10.33.183.65 tell 10.33.183.69
2.103995 802.1Q vlan#1 P0 -- 10.33.183.69.2048 -> 10.32.8.9.53: udp 33
2.389462 802.1Q vlan#1 P0 -- 10.33.183.69.2048 -> 10.32.8.9.53: udp 50
2.391457 802.1Q vlan#1 P0 -- Ether type 0x4003 printer havn't been added to sniffer.
^C
14 packets received by filter
0 packets dropped by kernel
11963
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.