Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
journeyman
Contributor

diagnostic packet capture incomplete - any tips to improve?

Does anyone know how to improve the completeness of the diagnostic sniffer? Is there some system type setting that impacts this functionality?

 

I have noticed the output of the diagnostic sniffer often seems to only include session establishment type traffic, or perhaps it deliberately excludes in-session traffic (TCP obviously). I noticed this more often using capture level 4 (header and interface). Level 6 (bytes and interface) seems to more often include in-session traffic, but not in my current scenario.

The diagnose doco site does not mention anything about this although I'm sure I've seen disclaimers somewhere.

 

Currently I am fault-finding an application issue and packets I know are traversing a firewall are not being logged. I do see arp, session establishment and teardown, but not session traffic, and in this case I need to see that.

I am using commands of the form:

diagnose sniffer packet internal1 'host a.b.c.d' 6 0 a
The hardware is 60C, the unit is very lightly loaded (CPU usage is not an issue) and the traffic I'm trying to log is of the order of less than a packet per second.

2 Solutions
Toshi_Esumi
SuperUser
SuperUser

Are you sure you disabled asic offloading at the policy?

 set auto-asic-offload disable

View solution in original post

emnoc
Esteemed Contributor III

A  FGT60C has no ASIC  out of a SOC ( SystemOnChip ) so I don't think you can disable that but give the commands a try.

 

I would  1st run a diag debug flow and look at the flow statistics.

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
6 REPLIES 6
Toshi_Esumi
SuperUser
SuperUser

Are you sure you disabled asic offloading at the policy?

 set auto-asic-offload disable

emnoc
Esteemed Contributor III

A  FGT60C has no ASIC  out of a SOC ( SystemOnChip ) so I don't think you can disable that but give the commands a try.

 

I would  1st run a diag debug flow and look at the flow statistics.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
journeyman

Thankyou! Like emnoc I wasn't expecting this to work but it did.

set auto-asic-offload disable in the policy results in full traffic logging in the sniffer (effective immediately the policy is changed). This setting was default enable and not visible without show full.

Very, very useful to know.

 

Question - should I leave the policy running auto-asic-offload disable, or only change that when logging is required?

 

FWIW, the trace only shows the same packets as the sniffer when the policy has the default setting of auto-asic-offload enable.

Toshi_Esumi

I would never leave it disabled due to performance concern unless it's just doing hiding packets from sniffing.

emnoc
Esteemed Contributor III

What are you  wanting  ? pkt capture or  flow-info? I Never use   pkt-capture when insecting fwpolicy and flow statistics

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ede_pfau

As mentioned and as set by default, 'auto-asic-offload' should normally be enabled. Otherwise, even a couple of Mbps can place a heavy load on the CPU in a desktop FGT. (just look at other vendors' equipment, not featuring ASICs...)

 

If you need to debug, turn offloading off and look into the traffic. Don't forget to enable offloading again, and maybe stop logging traffic for that policy. YMMV.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors