Technical Tip: How to capture packet traffic at the physical level

wdeloraine_FTNT · ‎07-03-2023

Description

This article describes how to capture traffic on a physical interface for a chassis-based FortiGate.

Scope

FortiGate 6000F, 7000E, and 7121F.

Solution

A feature is available on chassis-based FortiGates (6000F, 7000E, and 7121F) that allows the administrator to capture traffic at the ISF (integrated Switch Fabric) level. This means that traffic can be captured before leaving the FortiGate at the physical level. This also applies to traffic entering the FortiGate. This feature will activate the interface f-mirror for the selected physical interface on the dataplane.

The following are the elements involved when packets enter a 6000F device:

1. Packet on the fiber.

2. Handled by SFP.

3. Handled by DP (distribution processor).

4. Forwarded by ISF to FPC.

5. Goes to NP6 on FPC and eventually on the host CPUs.

Capture for regular packet capture gives packets that are handled by CPUs.

See Troubleshooting Tip: Using the FortiOS built-in packet sniffer for more information.

This article will demonstrate how to capture traffic at the physical level with the prefix 'sw:'.

This can have a number of benefits:

- It is easier to ensure the traffic is properly transmitted from ISF to FPC and vice versa.

- It is easier to ensure the traffic is properly transmitted from ISF to SFP.

- It provides a view of the entire flow even when it's offloaded on FPC. This information is not visible in a regular packet sniff because it's not handled by the CPU hosts.

For example:

Traffic is going to be captured on port25 at ISF Level for vlan1062.

Command to be used:

diagnose sniffer packet sw:port25 '(vlan 1062 and tcp) or (vlan 1062 and tcp)' 4 0 l

'sw:' will activate the f-mirror interface.
The filter setup is split for egress and ingress traffic. A traffic selector is needed for both ways.
(vlan 1062 and tcp) filters for one way.
(vlan 1062 and tcp) filters for the other way.

In FortiOS 7.2.x and 7.4.x, the command has been changed to the following:

diagnose span-sniffer packet sw:port25 '(vlan 1062 and tcp) or (vlan 1062 and tcp)' 4 0 l

The following information will display in the terminal window:

[MBD ] 2023-07-03 14:39:43.803130 f-mirror -- port25 out 802.1Q vlan#1062 P0 10.0.59.79.31436 -> 10.0.62.10.80: psh 1026859065 ack 207576893
[MBD ] 2023-07-03 14:39:43.803133 f-mirror -- port25 out 802.1Q vlan#1062 P0 10.0.59.101.31436 -> 10.0.62.10.80: psh 2044382639 ack 4211484478
[MBD ] 2023-07-03 14:39:43.803141 f-mirror -- port25 out 802.1Q vlan#1062 P0 10.0.59.103.49974 -> 10.0.62.10.80: psh 3403221988 ack 592061836
[MBD ] 2023-07-03 14:39:43.803194 f-mirror -- port25 out 802.1Q vlan#1062 P0 10.0.59.16.49984 -> 10.0.62.10.80: psh 2450217422 ack 2741313910
[MBD ] 2023-07-03 14:39:43.803206 f-mirror -- port25 out 802.1Q vlan#1062 P0 10.0.59.44.49984 -> 10.0.62.10.80: psh 3504603645 ack 1654515949

PSH TCP packets are usually offloaded, but can be shown with the feature above.

In addition, this command can be run without a filter. All traffic reaching port25 will displayed upon doing so.

It is highly recommended to use a traffic filter to prevent CPUs in the MBD from being overloaded by the mirrored traffic.

diagnose sniffer packet sw:port25 '' 4 0 l

In FortiOS 7.2.x and 7.4.x, the command has been changed to the following:

diagnose span-sniffer packet sw:port25 '' 4 0 l

Consequently, traffic from vlan 1059 and 1062 will be displayed:

[MBD ] 2023-07-03 15:56:01.605795 f-mirror -- port25 out 802.1Q vlan#1062 P0 10.0.59.26.28513 -> 10.0.62.13.5247: udp 469
CAPWAP DATA Ether type 0x3535 printer hasn't been added to sniffer.
[MBD ] 2023-07-03 15:56:01.605796 f-mirror -- port25 out 802.1Q vlan#1059 P0 10.0.62.14.53 -> 10.0.59.17.47026: udp 142
[MBD ] 2023-07-03 15:56:01.605797 f-mirror -- port25 out 802.1Q vlan#1062 P0 10.0.59.40.10000 -> 10.0.62.14.53: udp 33
[MBD ] 2023-07-03 15:56:01.605798 f-mirror -- port25 out 802.1Q vlan#1062 P0 10.0.59.25.47024 -> 10.0.62.13.5247: udp 469
CAPWAP DATA Ether type 0x3535 printer hasn't been added to sniffer.
[MBD ] 2023-07-03 15:56:01.605799 f-mirror -- port25 out 802.1Q vlan#1062 P0 10.0.59.39.47024 -> 10.0.62.14.53: udp 30
[MBD ] 2023-07-03 15:56:01.605800 f-mirror -- 802.1Q vlan#1059 P0 10.0.59.68.47026 -> 10.0.62.14.53: udp 30
[MBD ] 2023-07-03 15:56:01.605800 f-mirror -- port25 out 802.1Q vlan#1059 P0 10.0.62.14.53 -> 10.0.59.86.10000: udp 142
[MBD ] 2023-07-03 15:56:01.605801 f-mirror -- 802.1Q vlan#1059 P0 10.0.59.29.47026 -> 10.0.62.13.5247: udp 469
CAPWAP DATA Ether type 0x3535 printer hasn't been added to sniffer.
[MBD ] 2023-07-03 15:56:01.605801 f-mirror -- 802.1Q vlan#1062 P0 10.0.62.14.53 -> 10.0.59.38.47025: udp 142
[MBD ] 2023-07-03 15:56:01.605802 f-mirror -- port25 out 802.1Q vlan#1059 P0 10.0.62.14.53 -> 10.0.59.17.10002: udp 33
[MBD ] 2023-07-03 15:56:01.605802 f-mirror -- 802.1Q vlan#1059 P0 10.0.59.33.47026 -> 10.0.62.13.5247: udp 469
CAPWAP DATA Ether type 0x3535 printer hasn't been added to sniffer.
[MBD ] 2023-07-03 15:56:01.605803 f-mirror -- 802.1Q vlan#1059 P0 10.0.59.19.10002 -> 10.0.62.13.5247: udp 469

Please note that only one physical port can be mirrored at a time.