Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
live89
Contributor

HA ether type sniffer

Hi

 

Has anyone came across this kind of sniffer messages when trying to sniffer 0x8890 HA heartbeat packets for a NAT/route mode cluster:

 

FW1 # diagnose sniffer packet any 'ether proto 0x8890' 4
interfaces=[any]
filters=[ether proto 0x8890]
0.644099 port32 in Ether type 0x8890 printer hasn't been added to sniffer.
0.670909 port32 out Ether type 0x8890 printer hasn't been added to sniffer.
0.844114 port32 in Ether type 0x8890 printer hasn't been added to sniffer.
0.870938 port32 out Ether type 0x8890 printer hasn't been added to sniffer.
1.044083 port32 in Ether type 0x8890 printer hasn't been added to sniffer.
1.070872 port32 out Ether type 0x8890 printer hasn't been added to sniffer.
1.244100 port32 in Ether type 0x8890 printer hasn't been added to sniffer.
1.270901 port32 out Ether type 0x8890 printer hasn't been added to sniffer.
1.444103 port32 in Ether type 0x8890 printer hasn't been added to sniffer.
1.470914 port32 out Ether type 0x8890 printer hasn't been added to sniffer.

 

We're running FGT1500D version 5.6.11

HA port32

Active/Passive cluster functioning normal

Thanks

Thanks
2 REPLIES 2
FortiMike
New Contributor

Hii,

I got the same result when I ran a sniffer on my HA interface without any filters, but when I ran the sniffer using the HA ip addresses I was able to see the packets.

Find IP address of HA:

get system ha status 
vcluster 1: standby 169.254.0.1
diagnose sniffer packet any ' host 169.254.0.1 ' 4
3.285134 port_ha in 169.254.0.2.2790 -> 169.254.0.1.53: udp 103
3.755998 port_ha in 169.254.0.2.4853 -> 169.254.0.1.714: udp 86
3.756022 port_ha in 169.254.0.2.4853 -> 169.254.0.1.714: udp 88
3.756026 port_ha in 169.254.0.2.4853 -> 169.254.0.1.714: udp 82
3.756030 port_ha in 169.254.0.2.4853 -> 169.254.0.1.714: udp 94
3.756033 port_ha in 169.254.0.2.4853 -> 169.254.0.1.714: udp 78
3.756036 port_ha in 169.254.0.2.4853 -> 169.254.0.1.714: udp 79
3.756039 port_ha in 169.254.0.2.4853 -> 169.254.0.1.714: udp 79
3.756042 port_ha in 169.254.0.2.4853 -> 169.254.0.1.714: udp 81
4.269852 port_ha in 169.254.0.2.3010 -> 169.254.0.63.703: udp 496

 

Hope this helps :) 

petertavenier

the "host 169.254.0.1" packets are different packets than the "ether proto 0x8890" It is just that the sniffer cannot make a nice print translation of the data of the ethertype 0x8890 packets.

 

Using the number 4 in the sniffer means;

4: print header of packets with interface name

It does print the interface name, but is unable to print the header of the ethertype 0x8890 packets

For ethertype 0x0800 what you get when using the "host 169.254.0.1" filter, it does understand de header in a nice print format.

 

Using the number 6 in the sniffer means;

6: print header and data from ethernet of packets (if available) with intf name

now you can see that the packets are different!

See examples below and the [<font][style="background-color: #ffff00;"]highlighted ethertype[/style].

 

Example of ethertype 0x8890 traffic:

FGT01 # diagnose sniffer packet any "ether proto 0x8890" 4 10
interfaces=[any]
filters=[ether proto 0x8890]
0.930257 internal5 out Ether type 0x8890 printer hasn't been added to sniffer.
0.990174 internal5 in Ether type 0x8890 printer hasn't been added to sniffer.
1.130239 internal5 out Ether type 0x8890 printer hasn't been added to sniffer.
1.190175 internal5 in Ether type 0x8890 printer hasn't been added to sniffer.
1.330236 internal5 out Ether type 0x8890 printer hasn't been added to sniffer.
1.390175 internal5 in Ether type 0x8890 printer hasn't been added to sniffer.
1.530249 internal5 out Ether type 0x8890 printer hasn't been added to sniffer.
1.590176 internal5 in Ether type 0x8890 printer hasn't been added to sniffer.
1.730238 internal5 out Ether type 0x8890 printer hasn't been added to sniffer.
1.790181 internal5 in Ether type 0x8890 printer hasn't been added to sniffer.
 

Example of ethertype 0x0800 traffic:

FGT01 # diagnose sniffer packet any "host 169.254.0.1" 4 10
interfaces=[any]
filters=[host 169.254.0.1]
1.270357 port_ha in 169.254.0.2.17385 -> 169.254.0.1.65530: psh 2266095557 ack 1821824491
1.270419 port_ha out 169.254.0.1.65530 -> 169.254.0.2.17385: ack 2266095579
1.270429 internal5 out 169.254.0.1.65530 -> 169.254.0.2.17385: ack 2266095579
1.270508 port_ha out 169.254.0.1.65530 -> 169.254.0.2.17385: psh 1821824491 ack 2266095579
1.270516 internal5 out 169.254.0.1.65530 -> 169.254.0.2.17385: psh 1821824491 ack 2266095579
1.310216 port_ha in 169.254.0.2.17385 -> 169.254.0.1.65530: ack 1821824513
1.430471 port_ha in 169.254.0.2.17231 -> 169.254.0.1.700: psh 800221562 ack 1134523566
1.430548 port_ha out 169.254.0.1.700 -> 169.254.0.2.17231: ack 800221904
1.430557 internal5 out 169.254.0.1.700 -> 169.254.0.2.17231: ack 800221904
2.270367 port_ha out 169.254.0.1.65530 -> 169.254.0.2.17385: psh 1821824513 ack 2266095579

 

Example of ethertype 0x0800 traffic with data:

TNL1LAB1FGT01 # diagnose sniffer packet any "host 169.254.0.1" 6 4
interfaces=[any]
filters=[host 169.254.0.1]
0.590604 port_ha in 169.254.0.2.17385 -> 169.254.0.1.65530: psh 2266096261 ack 1821825195
0x0000   0000 0000 0001 906c aca7 bbb5 0800 4500        .......l......E.
0x0010   004a 96cd 0000 4006 8fe1 a9fe 0002 a9fe        .J....@.........
0x0020   0001 43e9 fffa 8711 e285 6c96 d8ab 8018        ..C.......l.....
0x0030   000b a563 0000 0101 080a 2cd7 efbf 2cd7        ...c......,...,.
0x0040   8cca 5f00 0000 1600 0000 0005 0000 0000        .._.............
0x0050   762e c906 0000 0000                            v.......

0.590720 port_ha out 169.254.0.1.65530 -> 169.254.0.2.17385: ack 2266096283
0x0000   0000 0000 0000 906c aca7 d64f 0800 4500        .......l...O..E.
0x0010   0034 263e 0000 4006 0087 a9fe 0001 a9fe        .4&>..@.........
0x0020   0002 fffa 43e9 6c96 d8ab 8711 e29b 8010        ....C.l.........
0x0030   1c34 3c53 0000 0101 080a 2cd7 8df4 2cd7        .4<S......,...,.
0x0040   efbf                                           ..

0.590730 internal5 out 169.254.0.1.65530 -> 169.254.0.2.17385: ack 2266096283
0x0000   0000 0000 0000 906c aca7 d64f 0800 4500        .......l...O..E.
0x0010   0034 263e 0000 4006 0087 a9fe 0001 a9fe        .4&>..@.........
0x0020   0002 fffa 43e9 6c96 d8ab 8711 e29b 8010        ....C.l.........
0x0030   1c34 3c53 0000 0101 080a 2cd7 8df4 2cd7        .4<S......,...,.
0x0040   efbf                                           ..

0.590827 port_ha out 169.254.0.1.65530 -> 169.254.0.2.17385: psh 1821825195 ack 2266096283
0x0000   0000 0000 0000 906c aca7 d64f 0800 4500        .......l...O..E.
0x0010   004a 263f 0000 4006 0070 a9fe 0001 a9fe        .J&?..@..p......
0x0020   0002 fffa 43e9 6c96 d8ab 8711 e29b 8018        ....C.l.........
0x0030   1c34 87f9 0000 0101 080a 2cd7 8df4 2cd7        .4........,...,.
0x0040   efbf 5f00 0000 1600 0000 0005 0000 0001        .._.............
0x0050   762e c906 0000 0000                            v.......

 

Example of ethertype 0x8890 traffic with data:

TNL1LAB1FGT01 # diagnose sniffer packet any "ether proto 0x8890" 6 4
interfaces=[any]
filters=[ether proto 0x8890]
0.530276 internal5 out Ether type 0x8890 printer hasn't been added to sniffer.
0x0000   0000 0000 0000 906c aca7 d64f 8890 5201        .......l...O..R.
0x0010   020c 4841 3630 4500 0000 0000 0000 0000        ..HA60E.........
0x0020   0000 0000 0000 0000 0000 0000 0000 0000        ................
0x0030   0000 0000 3c00 0000 0000 0000 0000 3c00        ....<.........<.
0x0040   0000 696e 7465 726e 616c 3500 0000 0000        ..internal5.....
...

serial number information omitted

...
0x0070   0d00 0100 010e 0004 0001 0000 000f 0004        ................
0x0080   0000 0000 0010 0004 0000 0000 0011 0004        ................
0x0090   0000 0000 0012 0004 0001 0000 0028 0000        .............(..
0x00a0   002b 0002 0001 002c 0002 000a 0038 0008        .+.....,.....8..
0x00b0   0035 2c01 7900 0000 0037 0004 0000 0000        .5,.y....7......
0x00c0   003c 0030 0095 dd60 5af6 699c 8f5f 4544        .<.0...`Z.i.._ED
0x00d0   51be 9c11 4d05 b2a8 41fa e1d1 3d21 c3fc        Q...M...A...=!..
0x00e0   33d5 44d3 109a a219 d69a ed95 3469 f3ff        3.D.........4i..
0x00f0   5d22 f953 1c3d 000c 0007 0000 0000 0000        ]".S.=..........
0x0100   0042 0000 003e 0001 0000 3300 0400 0000        .B...>....3.....
0x0110   0000 2a00 8300 0b00 789c edce c909 c250        ..*.....x......P
0x0120   1486 d107 a9c8 38b5 e03c 9410 d085 10df        ......8..<......
0x0130   4284 8055 d885 1beb b11e 573e 6e48 016e        B..U......W>nH.n
0x0140   ce59 7e5c 7e6e d7e4 510a 9eed fbf5 5954        .Y~\~n..Q.....YT
0x0150   5d93 eb41 5ea6 d3f5 9106 7995 2ef9 7ebe        ]..A^.....y...~.
0x0160   e5a6 1dc5 bc2e b98e 7953 f238 e66d c993        ........yS.8.m..
0x0170   9877 d52f 4f63 de97 3c8b f950 467a 0f1e        .w./Oc..<..PFz..
0x0180   cbf5 bc9f 1300 0000 0000 0000 0000 0000        ................
0x0190   00c0 ff7d 01bf 4446 8300 0000 00               ...}..DF.....

0.590447 internal5 in Ether type 0x8890 printer hasn't been added to sniffer.
0x0000   ffff ffff ffff 906c aca7 bbb5 8890 5201        .......l......R.
0x0010   020c 4841 3630 4500 0000 0000 0000 0000        ..HA60E.........
0x0020   0000 0000 0000 0000 0000 0000 0000 0000        ................
0x0030   0000 0000 3c00 0000 0000 0000 0000 3c00        ....<.........<.
0x0040   0000 696e 7465 726e 616c 3500 0000 0000        ..internal5.....
...

serial number information omitted

...
0x0070   0d00 0100 010e 0004 0000 0000 000f 0004        ................
0x0080   0000 0000 0010 0004 0000 0000 0011 0004        ................
0x0090   0000 0000 0012 0004 0000 0000 0028 0000        .............(..
0x00a0   002b 0002 0001 002c 0002 000a 0038 0008        .+.....,.....8..
0x00b0   009e 2c01 7900 0000 0037 0004 0000 0000        ..,.y....7......
0x00c0   003c 0030 0056 7f47 678d 8e33 a68b d2ec        .<.0.V.Gg..3....
0x00d0   30d8 2e94 9095 9565 7725 14cd 3dd2 febc        0......ew%..=...
0x00e0   18a5 6432 c77e 92a3 9579 2efe d314 dbad        ..d2.~...y......
0x00f0   99de 2b19 2a3d 000c 0007 0000 0000 0000        ..+.*=..........
0x0100   0042 0000 0033 0004 0000 0000 002a 0081        .B...3.......*..
0x0110   000b 0078 9ced ce39 0ac2 5014 86d1 0759        ...x...9..P....Y
0x0120   511c d713 d042 88af 1021 e02a dc85 8d38        Q....B...!.*...8
0x0130   0f85 9bb3 f271 4316 6073 4ef9 71f9 b95d        .....qC.`sN.q..]
0x0140   93eb 14ec dbe3 e173 aaba 268f 06f9 9c16        .......s..&.....
0x0150   eb5d 1ae4 4b5a e5ed 7293 9bb6 8ef9 5af2        .]..KZ..r.....Z.
0x0160   28e6 5bc9 e398 ef25 4f62 7e54 bf3c 8df9        (.[....%Ob~T.<..
0x0170   59f2 2ce6 5719 e93d f82e d7f3 7e4e 0000        Y.,.W..=....~N..
0x0180   0000 0000 0000 0000 0000 00ff f705 ca8f        ................
0x0190   49bc 0000 0000                                 I.....

0.730296 internal5 out Ether type 0x8890 printer hasn't been added to sniffer.
0x0000   0000 0000 0000 906c aca7 d64f 8890 5201        .......l...O..R.
0x0010   020c 4841 3630 4500 0000 0000 0000 0000        ..HA60E.........
0x0020   0000 0000 0000 0000 0000 0000 0000 0000        ................
0x0030   0000 0000 3c00 0000 0000 0000 0000 3c00        ....<.........<.
0x0040   0000 696e 7465 726e 616c 3500 0000 0000        ..internal5.....
...

serial number information omitted

...
0x0070   0d00 0100 010e 0004 0001 0000 000f 0004        ................
0x0080   0000 0000 0010 0004 0000 0000 0011 0004        ................
0x0090   0000 0000 0012 0004 0001 0000 0028 0000        .............(..
0x00a0   002b 0002 0001 002c 0002 000a 0038 0008        .+.....,.....8..
0x00b0   0035 2c01 7900 0000 0037 0004 0000 0000        .5,.y....7......
0x00c0   003c 0030 0095 dd60 5af6 699c 8f5f 4544        .<.0...`Z.i.._ED
0x00d0   51be 9c11 4d05 b2a8 41fa e1d1 3d21 c3fc        Q...M...A...=!..
0x00e0   33d5 44d3 109a a219 d69a ed95 3469 f3ff        3.D.........4i..
0x00f0   5d22 f953 1c3d 000c 0007 0000 0000 0000        ]".S.=..........
0x0100   0042 0000 003e 0001 0000 3300 0400 0000        .B...>....3.....
0x0110   0000 2a00 8300 0b00 789c edce c909 c250        ..*.....x......P
0x0120   1486 d107 a9c8 38b5 e03c 9410 d085 10df        ......8..<......
0x0130   4284 8055 d885 1beb b11e 573e 6e48 016e        B..U......W>nH.n
0x0140   ce59 7e5c 7e6e d7e4 510a 9eed fbf5 5954        .Y~\~n..Q.....YT
0x0150   5d93 eb41 5ea6 d3f5 9106 7995 2ef9 7ebe        ]..A^.....y...~.
0x0160   e5a6 1dc5 bc2e b98e 7953 f238 e66d c993        ........yS.8.m..
0x0170   9877 d52f 4f63 de97 3c8b f950 467a 0f1e        .w./Oc..<..PFz..
0x0180   cbf5 bc9f 1300 0000 0000 0000 0000 0000        ................
0x0190   00c0 ff7d 01bf 4446 8300 0000 00               ...}..DF.....

0.790446 internal5 in Ether type 0x8890 printer hasn't been added to sniffer.
0x0000   ffff ffff ffff 906c aca7 bbb5 8890 5201        .......l......R.
0x0010   020c 4841 3630 4500 0000 0000 0000 0000        ..HA60E.........
0x0020   0000 0000 0000 0000 0000 0000 0000 0000        ................
0x0030   0000 0000 3c00 0000 0000 0000 0000 3c00        ....<.........<.
0x0040   0000 696e 7465 726e 616c 3500 0000 0000        ..internal5.....
...

serial number information omitted

...

0x0070   0d00 0100 010e 0004 0000 0000 000f 0004        ................
0x0080   0000 0000 0010 0004 0000 0000 0011 0004        ................
0x0090   0000 0000 0012 0004 0000 0000 0028 0000        .............(..
0x00a0   002b 0002 0001 002c 0002 000a 0038 0008        .+.....,.....8..
0x00b0   009e 2c01 7900 0000 0037 0004 0000 0000        ..,.y....7......
0x00c0   003c 0030 0056 7f47 678d 8e33 a68b d2ec        .<.0.V.Gg..3....
0x00d0   30d8 2e94 9095 9565 7725 14cd 3dd2 febc        0......ew%..=...
0x00e0   18a5 6432 c77e 92a3 9579 2efe d314 dbad        ..d2.~...y......
0x00f0   99de 2b19 2a3d 000c 0007 0000 0000 0000        ..+.*=..........
0x0100   0042 0000 0033 0004 0000 0000 002a 0081        .B...3.......*..
0x0110   000b 0078 9ced ce39 0ac2 5014 86d1 0759        ...x...9..P....Y
0x0120   511c d713 d042 88af 1021 e02a dc85 8d38        Q....B...!.*...8
0x0130   0f85 9bb3 f271 4316 6073 4ef9 71f9 b95d        .....qC.`sN.q..]
0x0140   93eb 14ec dbe3 e173 aaba 268f 06f9 9c16        .......s..&.....
0x0150   eb5d 1ae4 4b5a e5ed 7293 9bb6 8ef9 5af2        .]..KZ..r.....Z.
0x0160   28e6 5bc9 e398 ef25 4f62 7e54 bf3c 8df9        (.[....%Ob~T.<..
0x0170   59f2 2ce6 5719 e93d f82e d7f3 7e4e 0000        Y.,.W..=....~N..
0x0180   0000 0000 0000 0000 0000 00ff f705 ca8f        ................
0x0190   49bc 0000 0000                                 I.....

Labels
Top Kudoed Authors