Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Kaplan
Contributor

diag sniffer packet

Dear people can somebody explain me the marked bold places:

 

2021-12-22 11:44:37.472461 VPN-TU -- 10.99.19.12 -> 10.15.12.1: icmp: echo request
2021-12-22 11:44:37.504576 VPN-TU -- 10.15.12.1 -> 10.99.19.12: icmp: echo reply
2021-12-22 11:44:37.508988 VPN-TU -- 10.15.12.83.40820 -> 192.168.40.53: udp 29

2021-12-22 08:53:50.466435 VPN-TU -- 10.15.12.83.52751 -> 10.15.12.109.9100: syn 638097597

I will analyze the traffic over the Tunnel to reduce the traffic to the necessary ports on policys.

So I am not sure, what does it mean exactly, and wich policy are necessary to get a hit on the right policy.

Thanx a lot!

 

1 Solution
Debbie_FTNT
Staff
Staff

Hey Kaplan,

regarding your questions on diag sniffer:
10.99.19.12 -> 10.15.12.1: icmp: echo request

This means that IP 10.99.19.12 sent an ICMP packet to 10.15.12.1; echo request clarifies that this is a ping query (the echo response in the next line is the ping reply)
10.15.12.83.40820 -> 192.168.40.53: udp 29

this means that IP 10.15.12.83 with source port 40820 contacted IP 192.168.40 on port 53 using protocol UDP, and the packet contained 29 bytes. UDP port 53 is DNS traffic usually.

10.15.12.83.52751 -> 10.15.12.109.9100: syn 638097597

This means that IP 10.15.12.83 with source port 52751 contacted IP 10.15.12.109 on destination port 9100; this is a TCP SYN packet, the first packet in establishing a TCP connection; 638097597 is the sequence number (to keep track of what packets belong to what TCP session). TCP 9100 is not a standard port so we can't say what kind of communication beyond basic TCP is happening, but to my knowledge several printer companies (like HP) use that port for various purposes

 

I hope this helps!

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

7 REPLIES 7
Debbie_FTNT
Staff
Staff

Hey Kaplan,

regarding your questions on diag sniffer:
10.99.19.12 -> 10.15.12.1: icmp: echo request

This means that IP 10.99.19.12 sent an ICMP packet to 10.15.12.1; echo request clarifies that this is a ping query (the echo response in the next line is the ping reply)
10.15.12.83.40820 -> 192.168.40.53: udp 29

this means that IP 10.15.12.83 with source port 40820 contacted IP 192.168.40 on port 53 using protocol UDP, and the packet contained 29 bytes. UDP port 53 is DNS traffic usually.

10.15.12.83.52751 -> 10.15.12.109.9100: syn 638097597

This means that IP 10.15.12.83 with source port 52751 contacted IP 10.15.12.109 on destination port 9100; this is a TCP SYN packet, the first packet in establishing a TCP connection; 638097597 is the sequence number (to keep track of what packets belong to what TCP session). TCP 9100 is not a standard port so we can't say what kind of communication beyond basic TCP is happening, but to my knowledge several printer companies (like HP) use that port for various purposes

 

I hope this helps!

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Kaplan

Dear Debbie_FTNT

 

you explained very good.  I had a problem with the extension

 

192.168.40.53: "udp 29". 

I thought its belong UDP Port 29. Thats enough to build policys.

 

Thanx again

Kaplan
Contributor

I have more quest about sniffer:

How I must handle packets like ack, syn, fin.

Does this packets need a policy?

Whats the meaning of "rst"

 

192.168.5.40.48796: rst 2967809621 ack 1780979467

Debbie_FTNT

Hey Kaplan,

ack, syn and fin are specific TCP packets, acknowledging connections, initiating connections and finishing connections, essentially.  A rough overview to TCP: https://www.fortinet.com/resources/cyberglossary/tcp-ip
Theose packets do not need a separate policy. A policy looks at source and destination IP and port, essentially, and doesn't care about the specific packet type (SYN, ACK or FIN).

A RST packet is a Reset packet, meaning either side of the connection sent a reset to drop the connection. This is not something the FortiGate caused, this is something going through the FortiGate from either side to the other, and reasons for the RST packet are usually found on either side of the connection, not FortiGate in the middle.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Toshi_Esumi
Esteemed Contributor II

A policy allows a creation of a "session" when the first packet arrived in the direction, in case TCP "syn". Then the session covers all subsequent packets on both directions related the session.

 

Toshi

Kaplan

Thanx for all answers. 

I understand:
if there a "syn" packet for example with port 5555, there must be a policy. Elsewhere this session can not be created in FG or?

Toshi_Esumi
Esteemed Contributor II

Look, you have many users browsing the internet with TCP 443 or 80 through the same FW. Because the sessions include other information like source/destination IP, etc. not only the destination port.