Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ramesh_M
New Contributor

Need to convert the sniffer traffic to wireshark

Hi Team, I want to see the captured packet in wireshark. Kindly let me know how the sniffer or debug logs can be open in wireshark. Regards/ Ramesh M

Ramesh M Technical Specialist - CCNA(Security), FCNSP, ACE, ASE, ITIL blogs.itzecuriry.in

3 REPLIES 3
netmin
Contributor II

Hi Ramesh, try with the attached tools: http://kb.fortinet.com/kb/documentLink.do?externalId=11186
antoniocfc

netmin wrote:
Hi Ramesh, try with the attached tools: http://kb.fortinet.com/kb/documentLink.do?externalId=11186

The attached tool does not working. So, I made an alternative. It's a simple pythonic script working like a charm.

  Fortigate Dump converter to Wireshark Hexdump

https://github.com/afsec/fgt2wireshark

Requires python >= 2.7

How to use

Get some packets from Fortigate

In this case we're getting 1000 packets

printf "diagnose sniffer packet wan1 none 6 1000" | ssh USER@server.example.org | tee dump_firewall.txt

If you are using vdom

printf "config vdom\nedit root\ndiagnose sniffer packet wan1 none 6 1000" | ssh USER@server.example.org | tee dump_firewall.txt

Converting packets from Fortigate Dump to Wireshark HexDump

[ol]
  • Open Wireshark
  • Click File
  • Click Import from Hex Dump...
  • Click Browse
  • Choose the file dump_firewall.txt and click Open
  • Click Import[/ol]
  • emnoc
    Esteemed Contributor III

    FWIW if your fortgate device has the ability for packet capturing in the WebGUI, just download the pacp. Their' s no need to convert anything and the file format is that of a pcap format MacBook13:~ kfelix$ cd Downloads/ MacBook13:Downloads kfelix$ ls sniffer_1.pcap sniffer_1.pcap MacBook13:Downloads kfelix$ file sniffer_1.pcap sniffer_1.pcap: tcpdump capture file (little-endian) - version 2.4 (Linux " cooked" , capture length 1600) MacBook13:Downloads kfelix$

    PCNSE 

    NSE 

    StrongSwan