a) In Log & Report > Forward Traffic, click on a log entry corresponding to a policy with packet capture enabled (For example: In FortiOS 5.4, notice a paperclip icon in the @ column which identifies this type of log entry).There is a quota (default 10MB) on policy-based packet captures and once it reaches the limit packet captures will stop.
b) At the bottom half of the split screen, there are two tabs Log Details and Archive. Click on the Archive tab.
c) On the bottom line of the Archive tab there is a Download Capture File (it may be necessary to adjust the window size to see it). Click on this file to download the packet capture file in PCAP format, which can be opened in Wireshark.
config log disk setting
set max-policy-packet-capture-size <size in MB>
exec policy-packet-capture delete-all