Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gpinero
New Contributor II

Created on ‎11-19-2020 04:39 AM

Sniffer using CLI and then convert to wireshark

Hi, i'm using this command

diag sniffer packet any "host x.x.x.x" 6 0 a

to capture some traffic, then convert the text file using the tool fgt2eth.exe to convert it to pcap.

https://kb.fortinet.com/kb/documentLink.do?externalID=FD30877

 

Then... when I'm going to view it in wireshark, it shows TCP-out-of-order in all the capture.

I try a lot of captures with different destination and in different firewalls (models 100d, 300d, 500d) same result. A lot of TCP Out-of-Order

 

I'm doing something wrong? is not possible that in all my tests was errors in comunication.

 

 

Same result in all my captures from CLI.

Preview file
124 KB
8134
0 Kudos
1 Solution
Toshi_Esumi
SuperUser
SuperUser
In response to emnoc

Created on ‎11-19-2020 09:40 AM

If you use "any" for interface, the same packet likely show up multiple times in the log like at the ingress interface and the egress interface, which Wireshark would see as duplicates or retransmission. If you wan to see the output in Wireshark, specify one interface.

View solution in original post

6900
0 Kudos
4 REPLIES 4
emnoc
Esteemed Contributor III

Created on ‎11-19-2020 08:40 AM

What are you trying to capture mail http https traffic? I would filter in one the specific traffic and then use the convert tool. If you have  FGT model with a disk you can skip all of this and and run the webGUI 

 

https://<x.x.x address of fgt>/ng/page/p/firewall/sniffer/

 

I would thought a 500D would support this and maybe a 300D

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
6849
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to emnoc

Created on ‎11-19-2020 09:40 AM

If you use "any" for interface, the same packet likely show up multiple times in the log like at the ingress interface and the egress interface, which Wireshark would see as duplicates or retransmission. If you wan to see the output in Wireshark, specify one interface.

6901
0 Kudos
emnoc
Esteemed Contributor III
In response to Toshi_Esumi

Created on ‎11-19-2020 10:43 AM

yeah and I notice all of these where fin and syn, I would not be too much worry about the start and closing 

Filter in on the port and service 

 

diag sniffer packet port1 "host x.x.x.x and port 24" is much better than "diag sniffer packet any"

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
6850
0 Kudos
gpinero
New Contributor II
In response to Toshi_Esumi

Created on ‎11-19-2020 01:43 PM

toshiesumi wrote:

If you use "any" for interface, the same packet likely show up multiple times in the log like at the ingress interface and the egress interface, which Wireshark would see as duplicates or retransmission. If you wan to see the output in Wireshark, specify one interface.

Yeah, this is my mistake. Thanks a lot. I need to filter more my capture.

Regards.

 

6850
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.