Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DirkDuesentrieb
New Contributor

convert "diag sniffer" to pcap: new tool

Hi,

 

I created a small program that helps firewall admins to create Wireshark comaptible pcap files on diskless Fortigate models. You can find the "fgsniffer" here on Github.

It works for me on Windows and Linux, now I need some testers!

Feedback is welcome.

Cheers,

 

Dirk

9 REPLIES 9
oheigl
Contributor II

Hi Dirk,

I just tried it with a trace I took yesterday, and it doesn't seem to work. There is only one packet (should be 259) and Wireshark tells me that the FCS is incorrect. No other packets are listed.

 

I appreciate the work you put into this, but why don't you use the compiled version linked in this KB: http://kb.fortinet.com/kb/documentLink.do?externalID=FD30877

Did it not work for you?

Kind regards

DirkDuesentrieb

I tried only the original perl and this created only empty output or errors depending on the perl version. The compiled version works (on Windows) and produces a valid pcap file. Still the times are not considering the time zone, they are off by two for me.

 

Can you provide one ore two packets of your test capture, that didn't match? I think my regex doesn't match, because of some little difference. I'd like to fix that.

 

Cheers,

 

Dirk

oheigl

Yeah I usually fix the time zone problem with Wireshark and Time Shift. I sent you a PM, hope the formatting is somewhat correct, otherwise just tell me 

Greetings!

DirkDuesentrieb

Got it, thanks. The interface direction "--" was new to me, it is "in" or "out" normally. I fixed another issue with interface names containing slashes or brackets and updated github. I would be happy if you can retest. 

oheigl

Yeah if you define the interface in the sniffer there is no in and out in the output, only with device filter set to any.

I tested it again and it now works fine, thanks!

antoniocfc

The attached tool does not working. So, I made an alternative. It's a simple pythonic script working like a charm.

  Fortigate Dump converter to Wireshark Hexdump

https://github.com/afsec/fgt2wireshark

Requires python >= 2.7

How to use

Get some packets from Fortigate

In this case we're getting 1000 packets

printf "diagnose sniffer packet wan1 none 6 1000" | ssh USER@server.example.org | tee dump_firewall.txt

If you are using vdom

printf "config vdom\nedit root\ndiagnose sniffer packet wan1 none 6 1000" | ssh USER@server.example.org | tee dump_firewall.txt

Converting packets from Fortigate Dump to Wireshark HexDump

[ol]
  • Open Wireshark
  • Click File
  • Click Import from Hex Dump...
  • Click Browse
  • Choose the file dump_firewall.txt and click Open
  • Click Import[/ol]
  • bommi

    Since FortiOS 6.0.2 you can use the gui packet capture on small fortigates again!

    The smaller fortigates will save the pcap inside an ram-disk, so no convert tools are needed.

    NSE 4/5/7

    DirkDuesentrieb

    Some users were confused by the need to have absolute timestamps in the sniffer output. I created a new version 1.4 that can handle both cases. And there is a compiled version for OSX users.

     

    It's good to hear it will be possible to do pcaps directly on diskless models in the future, but it will take a while until our boxes are running FortiOS 6

     

    randomcatperson

    oheigl wrote:

    Hi Dirk,

    I just tried it with a trace I took yesterday, and it doesn't seem to work. There is only one packet (should be 259) and Wireshark tells me that the FCS is incorrect. No other packets are listed.

     

    I appreciate the work you put into this, but why don't you use the compiled version linked in this KB: http://kb.fortinet.com/kb/documentLink.do?externalID=FD30877

    Did it not work for you?

    Kind regards

    This worked a treat in July 2021 running from CMD on Windows 10. I pasted the output of a level "6" CLI sniffer run & it went into Wireshark pcap format perfectly. Thanks, heaps.