Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- diag sniffer packet showing eth0 ?????
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
diag sniffer packet showing eth0 ?????
im doing a packet capture on all interfaces from a host on my internal LAN. port 80,443 only.
i want to know if the web traffic is exiting using wan1 or wan2.
but the packet capture shows internal > eth0 ???
what is eth0
??
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
diagnose sniffer packet any ' host 192.168.121.10 and port 80' 4interfaces=[any]
filters=[host 192.168.121.10 and port 80]
14.311137 port1 in 192.168.121.10.59980 -> 157.166.226.26.80: syn 3623370317
14.311210 port1 out 157.166.226.26.80 -> 192.168.121.10.59980: syn 527433776 ack 3623370318
14.311218 eth0 out 157.166.226.26.80 -> 192.168.121.10.59980: syn 527433776 ack 3623370318
14.311427 port1 in 192.168.121.10.59981 -> 157.166.226.26.80: syn 4058517292
14.311519 port1 out 157.166.226.26.80 -> 192.168.121.10.59981: syn 1369946539 ack 4058517293
14.311533 eth0 out 157.166.226.26.80 -> 192.168.121.10.59981: syn 1369946539 ack 4058517293
14.311544 port1 in 192.168.121.10.59980 -> 157.166.226.26.80: ack 527433777
14.311815 port1 in 192.168.121.10.59981 -> 157.166.226.26.80: ack 1369946540
14.396239 port1 in 192.168.121.10.59980 -> 157.166.226.26.80: psh 3623370318 ack 527433777
14.396274 port1 out 157.166.226.26.80 -> 192.168.121.10.59980: ack 3623370651
14.396281 eth0 out 157.166.226.26.80 -> 192.168.121.10.59980: ack 3623370651
15.727360 port1 out 157.166.226.26.80 -> 192.168.121.10.59980: psh 527433777 ack 3623370651
15.727371 eth0 out 157.166.226.26.80 -> 192.168.121.10.59980: psh 527433777 ack 3623370651
15.927639 port1 in 192.168.121.10.59980 -> 157.166.226.26.80: ack 527434224
15.982804 port1 in 192.168.121.10.59982 -> 157.166.238.48.80: syn 4275520368
15.982884 port1 out 157.166.238.48.80 -> 192.168.121.10.59982: syn 3887095537 ack 4275520369
15.982890 eth0 out 157.166.238.48.80 -> 192.168.121.10.59982: syn 3887095537 ack 4275520369
15.983157 port1 in 192.168.121.10.59982 -> 157.166.238.48.80: ack 3887095538
15.983263 port1 in 192.168.121.10.59983 -> 157.166.238.48.80: syn 718208846
15.983346 port1 out 157.166.238.48.80 -> 192.168.121.10.59983: syn 1502454981 ack 718208847
15.983357 eth0 out 157.166.238.48.80 -> 192.168.121.10.59983: syn 1502454981 ack 718208847
15.983589 port1 in 192.168.121.10.59983 -> 157.166.238.48.80: ack 1502454982
15.984190 port1 in 192.168.121.10.59982 -> 157.166.238.48.80: psh 4275520369 ack 3887095538
15.984231 port1 out 157.166.238.48.80 -> 192.168.121.10.59982: ack 4275520706
15.984238 eth0 out 157.166.238.48.80 -> 192.168.121.10.59982: ack 4275520706
19.308550 port1 out 157.166.238.48.80 -> 192.168.121.10.59982: 3887095538 ack 4275520706
19.308560 eth0 out 157.166.238.48.80 -> 192.168.121.10.59982: 3887095538 ack 4275520706
19.308575 port1 out 157.166.238.48.80 -> 192.168.121.10.59982: 3887096998 ack 4275520706
19.308582 eth0 out 157.166.238.48.80 -> 192.168.121.10.59982: 3887096998 ack 4275520706
19.309254 port1 in 192.168.121.10.59982 -> 157.166.238.48.80: ack 3887098458
19.309311 port1 out 157.166.238.48.80 -> 192.168.121.10.59982: 3887098458 ack 4275520706
19.309319 eth0 out 157.166.238.48.80 -> 192.168.121.10.59982: 3887098458 ack 4275520706
19.309332 port1 out 157.166.238.48.80 -> 192.168.121.10.59982: 3887099918 ack 4275520706
19.309338 eth0 out 157.166.238.48.80 -> 192.168.121.10.59982: 3887099918 ack 4275520706
19.309347 port1 out 157.166.238.48.80 -> 192.168.121.10.59982: 3887101378 ack 4275520706
19.309353 eth0 out 157.166.238.48.80 -> 192.168.121.10.59982: 3887101378 ack 4275520706
19.309960 port1 in 192.168.121.10.59982 -> 157.166.238.48.80: ack 3887101378
19.309996 port1 out 157.166.238.48.80 -> 192.168.121.10.59982: 3887102838 ack 4275520706
19.310005 eth0 out 157.166.238.48.80 -> 192.168.121.10.59982: 3887102838 ack 4275520706
19.310022 port1 out 157.166.238.48.80 -> 192.168.121.10.59982: 3887104298 ack 4275520706
19.310031 eth0 out 157.166.238.48.80 -> 192.168.121.10.59982: 3887104298 ack 4275520706
19.310045 port1 out 157.166.238.48.80 -> 192.168.121.10.59982: psh 3887105758 ack 4275520706
19.310054 eth0 out 157.166.238.48.80 -> 192.168.121.10.59982: psh 3887105758 ack 4275520706
19.310560 port1 in 192.168.121.10.59982 -> 157.166.238.48.80: ack 3887104298
19.310607 port1 out 157.166.238.48.80 -> 192.168.121.10.59982: 3887107218 ack 4275520706
19.310619 eth0 out 157.166.238.48.80 -> 192.168.121.10.59982: 3887107218 ack 4275520706
19.310636 port1 out 157.166.238.48.80 -> 192.168.121.10.59982: 3887108678 ack 4275520706
19.310644 eth0 out 157.166.238.48.80 -> 192.168.121.10.59982: 3887108678 ack 4275520706
19.310658 port1 out 157.166.238.48.80 -> 192.168.121.10.59982: 3887110138 ack 4275520706
19.310666 eth0 out 157.166.238.48.80 -> 192.168.121.10.59982: 3887110138 ack 4275520706
19.310832 port1 in 192.168.121.10.59982 -> 157.166.238.48.80: ack 3887107218
19.310863 port1 out 157.166.238.48.80 -> 192.168.121.10.59982: psh 3887111598 ack 4275520706
19.310869 eth0 out 157.166.238.48.80 -> 192.168.121.10.59982: psh 3887111598 ack 4275520706
19.310901 port1 out 157.166.238.48.80 -> 192.168.121.10.59982: 3887113058 ack 4275520706
19.310909 eth0 out 157.166.238.48.80 -> 192.168.121.10.59982: 3887113058 ack 4275520706
19.310931 port1 out 157.166.238.48.80 -> 192.168.121.10.59982: 3887114518 ack 4275520706
19.310939 eth0 out 157.166.238.48.80 -> 192.168.121.10.59982: 3887114518 ack 4275520706
19.311246 port1 in 192.168.121.10.59982 -> 157.166.238.48.80: ack 3887110138
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another way is to use " debug flow" CLI to troubleshoot it <-- this worked
still not sure why when using " diag sniff packet" it shows me a strange " eth0" interface in my capture.
if anyone knows please reply.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This comes up lately & about eth0. Since the fortigate is a linux host, I think eth0 is always the main interface.
If you use
diag hardware deviceinfo nic eth0
or
fnsysctl ifconfig eth0
you will see the eth0 interface but surprisely you can' t use it in a diag sniffer packet eth0 " any" for example
For the OP modify your filter to use the src and dst ports and the actual interface if you don' t want the eth0 in the output
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i want to trace a host on the internal network 192.168.1.x and confirm that port 80 (http) traffic is using wan2 exclusively.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Than be specific in your syntax
diag sniffer packet wan2 " host 192.168.1.x and port 80 or 443 "
if you doubt wan2, change it to wan1 or whatever port you suspect, bug diag debug flow will not lie or mis-lead you.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
eth0 shows up in some FortiGate models with switch interfaces, in that case the eth0 is the parent of the individual interfaces.
You can ignore always eth0 output
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,848 -
FortiClient
1,793 -
5.2
801 -
FortiManager
753 -
5.4
639 -
FortiAnalyzer
567 -
FortiSwitch
486 -
FortiAP
478 -
FortiClient EMS
440 -
6.0
416 -
5.6
362 -
FortiMail
325 -
SSL-VPN
259 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
220 -
FortiWeb
212 -
FortiNAC
197 -
5.0
196 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
111 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
99 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
82 -
Customer Service
81 -
4.0MR3
64 -
FortiProxy
61 -
High Availability
60 -
Fortivoice
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
DNS
47 -
FortiExtender
46 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
RADIUS
38 -
SAML
38 -
NAT
37 -
Certificate
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SSO
34 -
VDOM
33 -
Interface
32 -
FortiConnect
30 -
FortiLink
30 -
Application control
28 -
FortiWAN
27 -
Web profile
27 -
FortiGate-VM
26 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiPortal
20 -
FortiSwitch v6.2
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
18 -
SSID
17 -
OSPF
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
SNMP
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
DNS filter
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1749 | |
| 1114 | |
| 765 | |
| 447 | |
| 241 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.