Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
billp
Contributor

Created on ‎12-08-2009 11:07 AM

Simple way to capture packets from specific address/port?

I have a few workstations that are routinely sending about 300 bytes of data to a single IP address that I cannot identify. NO rdns available. It' s sending out on TCP port 80 and UDP port 370. Is there a way to use the Fortigate or FortiAnalyzer to capture just those packets for a brief time so I can see what data is being transferred, and if this is a trojan of some sort? Our previous firewall could dump a Wireshark compatible file in situations like this. Application Control is reporting the traffic as http.proxy. I see the FortiAnalyzer has a Network Analyzer tool, but was hoping I could just setup a firewall rule to capture the packets for a few minutes and dump them to a file for analysis. Any suggestions? Thanks. Bill

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
3083
0 Kudos
5 REPLIES 5
Carl_Wallmark
Valued Contributor

Created on ‎12-08-2009 12:35 PM

yes its possible, first of all, you need to create a custom IPS, that can be triggered by the IP and Port (port 80 and 370). then you can create a IPS override, and enable packet log (requires fortios 4.00). as a result, you will be able to look inside that package, and download the packet in a .pcap file, and open in wireshark =) good luck !

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
2319
0 Kudos
p768
New Contributor

Created on ‎12-11-2009 01:15 AM

fortigates can also tcpdump use the command ' diagnose sniffer packet' use debug level 3 then you need to convert the output using a script file. see http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30877&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=1384921&stateId=0%200%201386816
2319
0 Kudos
Not applicable

Created on ‎04-29-2010 01:54 PM

how do you change the debug level? I am unble to get this command to work diag debug en diag sniffer packet port1 ' tcp and 21' 3 I put the 3 for debug level 3...is that right?
2319
0 Kudos
laf
New Contributor II

Created on ‎05-03-2010 05:16 AM

Yes you right. Just the needed debug level at the end of the command.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
2319
0 Kudos
red_adair
New Contributor III

Created on ‎05-07-2010 09:13 AM

# diag debug ena # diag sniff pack <interface> " tcp port 80 or UDP port 370 and host <host-ip>" 3 -R.
2319
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.