Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mbrowndcm
New Contributor III

problem with diag sniffer syntax? can' t see traffic over certain interfaces

Hello, I have a firewall where five interfaces live on five different VLANs. The network that lives on internal1 is 192.168.100.0/24. When I run the following sniffer line, no packets are captured. diag sniffer packet dmz ' not dst net 192.168.100.0' The dst net statement is valid pcap filter syntax. Is anyone familiar with why I see no packets being captured? In reality, I' d like to see when traffic traverses an interface destined to an outside address, with a NATed source. But when I diag sniffer to one of these interfaces (wan2 for instance), I can not see any packets. None. Thanks, Matt
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
6 REPLIES 6
ede_pfau
SuperUser
SuperUser

Hi, this works:
diag sniffer packet dmz ' not dst net 192.168.100' 
With the ' net' keyword, cut off the host part - it doesn' t have a netmask to do it itself.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Carl_Wallmark
Valued Contributor

What model are you using ? If you are using a 200B or above, and using the Asic ports, you need to disable the asic while sniffing the traffic, the sniffer works at the CPU level, and when the asic handles traffic the packets are never reaching the CPU

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
emnoc
Esteemed Contributor III

I agree with Ede, your filter could be the issue. Since you said multiple vlan interfaces, why not specify the interface and the " host" that your trying to capture and not use not i.e diag sniff packet dmz ' host 1.1.1.1 ' or diag sniffer packet inside1 ' src net 192.168.101 '

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
mbrowndcm
New Contributor III

Whoops... the packets source happened to be NATed inside the firewall, aka any packets had their source changed to that of the NAT when exiting internal3. Assuming that internal1 is the interface facing the VLAN where all of the traffic is being requested from (the session initiators): When I run the following I see nothing but broadcasts diag sniffer packet internal1 ' not port 22 ' It is possible that for some reason, some packets aren' t being captured? I can not understand how it' s possible that my routes are provided through the firewall, yet I can not see the traffic, even entering the internal port. Are there any sniffer settings that I' m missing?
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
emnoc
Esteemed Contributor III

fwiw You should always capture on the internal interface, if the packet makes it to the FW and then is NAT or Encapsulated, that way you will always see it. it' s ain' t going to sneak by without be notice if you know exactly what host src & dst and even the port or protocol, I would make my pcap filter expression as tight as possible e.g src host 1.1.1.1 vrs src host 1.1.1.1 and dst host 2.2.2.2 vrs src host 1.1.1.1 and dst host 2.2.2.2 and port 80 or even src host 1.1.1.1 and dst host 2.2.2.2 and dst port 80 hope that helps

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
mbrowndcm
New Contributor III

Thanks for your input emnoc. In general, I started by being very specific, and scaled back to be not at all specific. I' ve performed a port mirror on the port interconnecting to the internal1 interface of the fortigate. Using tcpdump to sniff packets, I see all the packets I wish to see. The problem appears to be that the sniffer on the fortigate itself isn' t reporting the packets, even with a filter of ' none' ! This is very very strange. Any more points that I should worry about? Thanks! Matt [edit] fortigate~ (root) # diag sniffer packet any ' host 192.168.100.10' interfaces=[any] filters=[host 192.168.100.10] ... nothing tcpdump -i eth0 ' host 192.168.100.10' ... all the packets!
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors