Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tlittle
New Contributor II

Created on ‎12-04-2024 06:48 AM

diagnose netlink interface output clarification on standalone fortiswitch

Hello,

 

I was wondering if anyone could clarify what the different interfaces displayed with the command "diagnose netlink interface list" actually mean when used on a fortiswitch operating in standalone mode.

 

I did not see the command listed in the official CLI documentation  for Fortiswitch running 7.2.7 firmware.

 

The device I'm testing this on is a Fortiswitch Rugged 112D-PoE running firmware 7.2.8 .

 

Here's a snippet of the command output,

 

112D-PoESW1 # diagnose netlink interface list

if=lo family=00 type=772 index=1 mtu=16436 link=0 master=0
flags=up loopback run

if=mux0 family=00 type=1 index=2 mtu=1500 link=0 master=0
flags=broadcast multicast

if=p0 family=00 type=1 index=3 mtu=1500 link=0 master=0
flags=up broadcast run promsic multicast

if=sp1 family=00 type=1 index=4 mtu=1500 link=0 master=0
flags=up broadcast run

if=__port__1 family=00 type=1 index=1001 mtu=1500 link=0 master=0
flags=up broadcast run multicast

if=p1 family=00 type=1 index=5 mtu=1500 link=0 master=0
flags=up broadcast run promsic multicast

if=sp2 family=00 type=1 index=6 mtu=1500 link=0 master=0
flags=up broadcast run

if=__port__2 family=00 type=1 index=1002 mtu=1500 link=0 master=0
flags=broadcast multicast

if=p2 family=00 type=1 index=7 mtu=1500 link=0 master=0
flags=up broadcast run promsic multicast

if=sp3 family=00 type=1 index=8 mtu=1500 link=0 master=0
flags=up broadcast run

if=__port__3 family=00 type=1 index=1003 mtu=1500 link=0 master=0
flags=broadcast multicast

if=p3 family=00 type=1 index=9 mtu=1500 link=0 master=0
flags=up broadcast run promsic multicast

 

I'm not sure what the difference is between sp1, __port__1, and p1 .

 

When testing on a fortigate I get an output that makes more sense to me, just a list of each interface on the gate.

Example output,

 

FortiGate-40F # diagnose netlink interface list

if=lo family=00 type=772 index=1 mtu=16436 link=0 master=0
ref=8 state=present fw_flags=0 flags=loopback

if=dummy0 family=00 type=1 index=2 mtu=1500 link=0 master=0
ref=5 state=present fw_flags=0 flags=broadcast noarp

if=nturbo_rx family=00 type=1 index=3 mtu=1500 link=0 master=0
ref=5 state=present fw_flags=0 flags=up broadcast multicast

if=nturbo_tx family=00 type=1 index=4 mtu=1500 link=0 master=0
ref=5 state=present fw_flags=0 flags=up broadcast multicast

if=wan family=00 type=1 index=5 mtu=1500 link=0 master=0
ref=167 state=start present fw_flags=0 flags=up broadcast run multicast

if=lan1 family=00 type=1 index=6 mtu=1500 link=0 master=0
ref=15 state=start present no_carrier fw_flags=0 flags=up broadcast multicast

if=lan2 family=00 type=1 index=7 mtu=1500 link=0 master=0
ref=219 state=start present fw_flags=0 flags=up broadcast run multicast

if=lan3 family=00 type=1 index=8 mtu=1500 link=0 master=18
ref=14 state=start present fw_flags=0 flags=up broadcast run slave multicast

if=a family=00 type=1 index=9 mtu=1500 link=0 master=18
ref=14 state=start present fw_flags=0 flags=up broadcast run slave multicast

 

 

Labels:
375
0 Kudos
6 REPLIES 6
dingjerry_FTNT
Staff
Staff

Created on ‎12-04-2024 07:33 AM

@tlittle ,

 

I believe that you can get the configurations for those interfaces you mentioned if you run:

 

show system interface

Regards,

Jerry
351
tlittle
New Contributor II
In response to dingjerry_FTNT

Created on ‎12-04-2024 07:58 AM

show system interface does display the logical interfaces I have created (VLAN SVI's) and the internal interface but it doesn't display any of the p1, sp1, __port__1, etc. interfaces shown with the diagnose netlink command.

 

My assumption was the p1, sp1, etc. correlated with the switch ports, such that p1, sp1, or __port__1 were associated with port1 on the switch.

What's confusing about that is if I run "diagnose netlink device list" I can see packets being sent/received on various interfaces all the way up to interface p27 .

 

I've attached a screenshot of the command to try and preserve the formatting.

 

Given this is a 12 port switch the p13,14,etc. obviously can't correlate with physical ports.

Also, I only have devices connected on ports 1,5,6,8 and 12.

Capture.PNG

 

 

342
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎12-04-2024 08:15 AM Edited on ‎12-04-2024 08:25 AM

Definitely they're related to the same physical port. To sniff a port, you have to use "sp1" instead of "port1" like below:

S224Dxxxxxxxxx # diag sniffer packet sp1
interfaces=[sp1]
filters=[none]
pcap_lookupnet: sp1: no IPv4 address assigned
0.659036 802.1Q vlan#10 P0 -- 192.168.10.10 -> 192.168.10.1: icmp: echo request
0.662266 802.1Q vlan#10 P0 -- 192.168.10.1 -> 192.168.10.10: icmp: echo reply
0.784650 802.1Q vlan#10 P0 -- 192.168.10.10.57248 -> 96.45.46.46.53: udp 55
0.974101 802.1Q vlan#10 P0 -- 192.168.10.10.54210 -> 96.45.46.46.53: udp 44
0.989666 802.1Q vlan#10 P0 -- 192.168.10.10.62179 -> 96.45.46.46.53: udp 50

 In CLI config there are different config levels for one port
  - config switch physical-port (L1/L2)
  - config switch interface (L2)
  - config system interface (L3)
I don't know the answer you're looking for but I'm guessing they somehow relate to those "levels".

 

Oh, by the way, the sniffing might not be available on 100 series FSWs.

Toshi

336
tlittle
New Contributor II
In response to Toshi_Esumi

Created on ‎12-04-2024 11:13 AM

Hi,

 

Funny enough the reason I was wondering what the difference between p, sp, and __port__ interfaces were was from messing around with the packet sniffer utility.

 

As far as I can tell the "p" interfaces are data link layer, so L2.

The "sp" look to be L3, and the "__port__" interfaces also appear to be L2.

 

If I run the sniffer utility without any filters and then search through a few minutes of output I can see the the "__port__" interfaces receiving LLDP frames, STP traffic, and the "p" interfaces sending LLC (logical link control) frames, so all L2.

 

When I filter by "sp" I can see tcp, udp, etc. L3 traffic.

 

Interestingly I also have a FortiSwitch 108F and running "diagnose netlink interface list"

I only get 10 ports shown, which makes sense since it's a 10 port switch.

It also shows p1 as just port_1 .

 

What I'm looking for is a more authoritative answer on what each interface correlates to rather than relying on my best guess.

 

308
ebilcari
Staff
Staff
In response to tlittle

Created on ‎12-06-2024 12:52 AM Edited on ‎12-06-2024 12:57 AM

Thank you for sharing your findings, I have a similar output from a 108E. As I searched, it seems like this is not well documented apart from 'p' being the physical port. I would suggest to open a case with TAC support to get more information and to update the documentation.
This article suggest to use 'sp' for sniffing packets on a port.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
257
tlittle
New Contributor II
In response to ebilcari

Created on ‎12-06-2024 05:27 AM

That's alright, I don't absolutely need to know the answer more just curious.

 

The Fortinet documentation in general is really good but I have found a few similar instances where the output of commands isn't fully explained.

Thankfully there's lots of informative community posts on here and other sites to help fill in the gaps.

 

Thanks everyone for the responses, appreciate the help.

236
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.