Hi,
I created a small program that helps firewall admins to create Wireshark comaptible pcap files on diskless Fortigate models. You can find the "fgsniffer" here on Github.
It works for me on Windows and Linux, now I need some testers!
Feedback is welcome.
Cheers,
Dirk
Hi Dirk,
I just tried it with a trace I took yesterday, and it doesn't seem to work. There is only one packet (should be 259) and Wireshark tells me that the FCS is incorrect. No other packets are listed.
I appreciate the work you put into this, but why don't you use the compiled version linked in this KB: http://kb.fortinet.com/kb/documentLink.do?externalID=FD30877
Did it not work for you?
Kind regards
I tried only the original perl and this created only empty output or errors depending on the perl version. The compiled version works (on Windows) and produces a valid pcap file. Still the times are not considering the time zone, they are off by two for me.
Can you provide one ore two packets of your test capture, that didn't match? I think my regex doesn't match, because of some little difference. I'd like to fix that.
Cheers,
Dirk
Yeah I usually fix the time zone problem with Wireshark and Time Shift. I sent you a PM, hope the formatting is somewhat correct, otherwise just tell me
Greetings!
Got it, thanks. The interface direction "--" was new to me, it is "in" or "out" normally. I fixed another issue with interface names containing slashes or brackets and updated github. I would be happy if you can retest.
Yeah if you define the interface in the sniffer there is no in and out in the output, only with device filter set to any.
I tested it again and it now works fine, thanks!
The attached tool does not working. So, I made an alternative. It's a simple pythonic script working like a charm.
Fortigate Dump converter to Wireshark Hexdump
https://github.com/afsec/fgt2wireshark
Requires python >= 2.7
printf "diagnose sniffer packet wan1 none 6 1000" | ssh USER@server.example.org | tee dump_firewall.txt
printf "config vdom\nedit root\ndiagnose sniffer packet wan1 none 6 1000" | ssh USER@server.example.org | tee dump_firewall.txt
Since FortiOS 6.0.2 you can use the gui packet capture on small fortigates again!
The smaller fortigates will save the pcap inside an ram-disk, so no convert tools are needed.
NSE 4/5/7
Some users were confused by the need to have absolute timestamps in the sniffer output. I created a new version 1.4 that can handle both cases. And there is a compiled version for OSX users.
It's good to hear it will be possible to do pcaps directly on diskless models in the future, but it will take a while until our boxes are running FortiOS 6
oheigl wrote:This worked a treat in July 2021 running from CMD on Windows 10. I pasted the output of a level "6" CLI sniffer run & it went into Wireshark pcap format perfectly. Thanks, heaps.Hi Dirk,
I just tried it with a trace I took yesterday, and it doesn't seem to work. There is only one packet (should be 259) and Wireshark tells me that the FCS is incorrect. No other packets are listed.
I appreciate the work you put into this, but why don't you use the compiled version linked in this KB: http://kb.fortinet.com/kb/documentLink.do?externalID=FD30877
Did it not work for you?
Kind regards
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.