4 lutego 2019


Diagnose sniffer packet

Firmware – FortiOS: 5.0 5.2 5.4 5.6 6.0
The sniffer diagnose command can be used for debugging purposes. The FortiGate can sniff traffic on a specific Interface or on all Interfaces. There are 3 different Levels of Information, a.k.a. Verbose Levels 1 to 3, where verbose 1 shows less information and verbose 3 shows the most information. Verbose 4, 5 and 6 would additionally provide the interface details.

Enabling the sniffer will consume additional CPU resources. This can be as high as an additional 25% of CPU usage on low-end models.
Short Ethernet frames sent by the FortiGate may appear to be under the minimum length of 64 bytes.
The Ethernet source and/or destination MAC addresses may be incorrect when using the „any” interface. They may be displayed as all zeros (00:00:00:00:00:00) or 00:00:00:00:00:01.

Compatibility with hardware acceleration
The use of hardware acceleration can impact how complete a picture the packet sniffer will give of the actual traffic going through the FortiGate. The sniffer resides within the FortiOS firmware which is located on the main CPU of the appliance. Hardware acceleration makes use of Network processing ASIC (NPx) chips which process traffic separately from the CPU. This does not mean that when hardware acceleration is being used that the sniffer will not capture anything. It will still capture any packets/sessions that are processed by the CPU, but the sniffer will not capture packets/sessions that are processed by the NPx chips.

For diagnostic purposes, you can ensure that the sniffer is capturing all of the traffic.

Identify the policy that managing the traffic.
Within that policy, use the CLI setting set auto-asic-offload disable
When there are sessions that match this policy, the session traffic will not be set to the NPx chips. All the packets for this policy will be sent to the CPU for processing. The sniffer should be able to see all of the traffic.

diagnose sniffer packet


  • interface – Network interface to sniff (or „any”), can be an Interface name or „any” for all Interfaces.
  • filter – Flexible logical filters for sniffer (or „none”).(see Filter Options for specifics)
    verbose The level of verbosity.(see Verbose Levels for specifics)
  • count – Sniffer count. The number of packets the sniffer reads before stopping.
  • tsformat – Format of timestamp.

  • Filter Options

    {src|dst} host {src|dst} host {arp|ip|gre|esp|udp|tcp} [port_no] {arp|ip|gre|esp|udp|tcp} [port_no]

    Verbose Levels
    Verbose Level Description
    1 – print header of packets
    2 – print header and data from IP of packets
    3 – print header and data from Ethernet of packets
    4 – print header of packets with interface name
    5 – print header and data from IP of packets with interface name
    6 – print header and data from Ethernet of packets with interface name

    Example #
    diag sniffer packet internal none 4 3

    internal in -> psh 2859918764 ack 1949135261
    internal in -> psh 2859918816 ack 1949135261
    internal out -> ack 2859918884

    diag sniffer packet internal none 5 1

    internal in -> psh 2867817048 ack 1951061933
    0x0000 4510 005c 8eb1 4000 4006 2a6b c0a8 0001 E..\..@.@.*k….
    0x0010 c0a8 001e 0016 0478 aaef 6a58 744a d7ad …….x..jXtJ..
    0x0020 5018 0b5c 8ab9 0000 9819 880b f465 62a8 P..\………eb.
    0x0030 3eaf 3804 3fee 2555 8deb 24da dd0d c684 >.8.?.%U..$…..
    0x0040 08a9 7907 202d 5898 a85c facb 8c0a f9e5 ..y..-X..\……
    0x0050 bd9c b649 5318 7fc5 c415 5a59 …IS…..ZY

    diag sniffer packet internal ‚src host and dst host’ 1 -> syn 1325244087 -> syn 3483111189 ack 1325244088 -> ack 3483111190 -> psh 1325244088 ack 3483111190 -> ack 1325244686 -> udp 26 -> udp 42 -> udp 42 -> icmp: echo request -> psh 1325244686 ack 3483111190 -> ack 1325244735 -> icmp: echo request