Diagnose sniffer packet
Firmware – FortiOS: 5.0 5.2 5.4 5.6 6.0
The sniffer diagnose command can be used for debugging purposes. The FortiGate can sniff traffic on a specific Interface or on all Interfaces. There are 3 different Levels of Information, a.k.a. Verbose Levels 1 to 3, where verbose 1 shows less information and verbose 3 shows the most information. Verbose 4, 5 and 6 would additionally provide the interface details.
Note:
Enabling the sniffer will consume additional CPU resources. This can be as high as an additional 25% of CPU usage on low-end models.
Short Ethernet frames sent by the FortiGate may appear to be under the minimum length of 64 bytes.
The Ethernet source and/or destination MAC addresses may be incorrect when using the „any” interface. They may be displayed as all zeros (00:00:00:00:00:00) or 00:00:00:00:00:01.
Compatibility with hardware acceleration
The use of hardware acceleration can impact how complete a picture the packet sniffer will give of the actual traffic going through the FortiGate. The sniffer resides within the FortiOS firmware which is located on the main CPU of the appliance. Hardware acceleration makes use of Network processing ASIC (NPx) chips which process traffic separately from the CPU. This does not mean that when hardware acceleration is being used that the sniffer will not capture anything. It will still capture any packets/sessions that are processed by the CPU, but the sniffer will not capture packets/sessions that are processed by the NPx chips.
For diagnostic purposes, you can ensure that the sniffer is capturing all of the traffic.
Identify the policy that managing the traffic.
Within that policy, use the CLI setting set auto-asic-offload disable
When there are sessions that match this policy, the session traffic will not be set to the NPx chips. All the packets for this policy will be sent to the CPU for processing. The sniffer should be able to see all of the traffic.
Syntax
diagnose sniffer packet
Options
verbose The level of verbosity.(see Verbose Levels for specifics)
Filter Options
Syntax:
{src|dst} host
Verbose Levels
Verbose Level Description
1 – print header of packets
2 – print header and data from IP of packets
3 – print header and data from Ethernet of packets
4 – print header of packets with interface name
5 – print header and data from IP of packets with interface name
6 – print header and data from Ethernet of packets with interface name
Example #
diag sniffer packet internal none 4 3
internal in 192.168.0.1.22 -> 192.168.0.30.1144: psh 2859918764 ack 1949135261
internal in 192.168.0.1.22 -> 192.168.0.30.1144: psh 2859918816 ack 1949135261
internal out 192.168.0.30.1144 -> 192.168.0.1.22: ack 2859918884
Example
diag sniffer packet internal none 5 1
internal in 192.168.0.1.22 -> 192.168.0.30.1144: psh 2867817048 ack 1951061933
0x0000 4510 005c 8eb1 4000 4006 2a6b c0a8 0001 E..\..@.@.*k….
0x0010 c0a8 001e 0016 0478 aaef 6a58 744a d7ad …….x..jXtJ..
0x0020 5018 0b5c 8ab9 0000 9819 880b f465 62a8 P..\………eb.
0x0030 3eaf 3804 3fee 2555 8deb 24da dd0d c684 >.8.?.%U..$…..
0x0040 08a9 7907 202d 5898 a85c facb 8c0a f9e5 ..y..-X..\……
0x0050 bd9c b649 5318 7fc5 c415 5a59 …IS…..ZY
Example
diag sniffer packet internal ‚src host 192.168.0.130 and dst host 192.168.0.1’ 1
192.168.0.130.3426 -> 192.168.0.1.80: syn 1325244087
192.168.0.1.80 -> 192.168.0.130.3426: syn 3483111189 ack 1325244088
192.168.0.130.3426 -> 192.168.0.1.80: ack 3483111190
192.168.0.130.3426 -> 192.168.0.1.80: psh 1325244088 ack 3483111190
192.168.0.1.80 -> 192.168.0.130.3426: ack 1325244686
192.168.0.130.1035 -> 192.168.0.1.53: udp 26
192.168.0.130.1035 -> 192.168.0.1.53: udp 42
192.168.0.130.1035 -> 192.168.0.1.53: udp 42
192.168.0.130 -> 192.168.0.1: icmp: echo request
192.168.0.130.3426 -> 192.168.0.1.80: psh 1325244686 ack 3483111190
192.168.0.1.80 -> 192.168.0.130.3426: ack 1325244735
192.168.0.130 -> 192.168.0.1: icmp: echo request