Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gpinero
New Contributor II

Sniffer using CLI and then convert to wireshark

Hi, i'm using this command

diag sniffer packet any "host x.x.x.x" 6 0 a

to capture some traffic, then convert the text file using the tool fgt2eth.exe to convert it to pcap.

https://kb.fortinet.com/kb/documentLink.do?externalID=FD30877

 

Then... when I'm going to view it in wireshark, it shows TCP-out-of-order in all the capture.

I try a lot of captures with different destination and in different firewalls (models 100d, 300d, 500d) same result. A lot of TCP Out-of-Order

 

I'm doing something wrong? is not possible that in all my tests was errors in comunication.

 

 

Same result in all my captures from CLI.

1 Solution
Toshi_Esumi
Esteemed Contributor II

If you use "any" for interface, the same packet likely show up multiple times in the log like at the ingress interface and the egress interface, which Wireshark would see as duplicates or retransmission. If you wan to see the output in Wireshark, specify one interface.

View solution in original post

4 REPLIES 4
emnoc
Esteemed Contributor III

What are you trying to capture mail http https traffic? I would filter in one the specific traffic and then use the convert tool. If you have  FGT model with a disk you can skip all of this and and run the webGUI 

 

https://<x.x.x address of fgt>/ng/page/p/firewall/sniffer/

 

I would thought a 500D would support this and maybe a 300D

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

Toshi_Esumi
Esteemed Contributor II

If you use "any" for interface, the same packet likely show up multiple times in the log like at the ingress interface and the egress interface, which Wireshark would see as duplicates or retransmission. If you wan to see the output in Wireshark, specify one interface.

emnoc
Esteemed Contributor III

yeah and I notice all of these where fin and syn, I would not be too much worry about the start and closing 

Filter in on the port and service 

 

diag sniffer packet port1 "host x.x.x.x and port 24" is much better than "diag sniffer packet any"

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

gpinero
New Contributor II

toshiesumi wrote:

If you use "any" for interface, the same packet likely show up multiple times in the log like at the ingress interface and the egress interface, which Wireshark would see as duplicates or retransmission. If you wan to see the output in Wireshark, specify one interface.

Yeah, this is my mistake. Thanks a lot. I need to filter more my capture.

Regards.