diag packet sniffer behavior

Miker · ‎10-05-2017

I question whether "diag packet sniffer" is truly a stateless packet capturing tool like tcpdump, at least for some protocols.

I am sending logs over udp 514 from one host to another, through a Fortigate v5.2.5.

If I run tcpdump on either the host sending the logs or the one receiving it, I instantly see thousands of packets going back and forth.

If I run diag packet sniffer <interface> 'udp port 514', I see nothing...UNLESS I restart syslog on the host sending the logs. Then diag packet sniffer sees a handful of packets and stops. I can reproduce this behavior with a restart of syslog-ng anytime I want. In the meantime source and destination are happily exchanging tons of logs.

Curious for others' similar experiences with "diag packet sniffer".

ede_pfau · ‎10-06-2017

hi,

you won't see any traffic in the sniffer once the session is offloaded onto the NP. Workaround: put an AV profile into the policy which is hit by this traffic. This prevents offloading.

Ede Kernel panic: Aiee, killing interrupt handler!

emnoc · ‎10-06-2017

Alternative if you don't want the traffic off-load, just disable it in the firewallpolicyid from the cli

PCNSE

NSE

StrongSwan

ede_pfau · ‎10-06-2017

correct, like in

config firewall policy

edit <policyID>

set auto-asic-offload disable

Be sure to use the ID, not the "sequence number".

Ede Kernel panic: Aiee, killing interrupt handler!

diag packet sniffer behavior

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website