Capture Packets on Your Firewall
You can capture (sniff) packets of any traffic that travels on your FortiGate firewall using the command line. Very similar to TCP Dump
Why do we need to do that?
It allows you to have a low-level view, up to the hexadecimal representation of the different packets
You will see, if packets travel the way they should, if they are dropped and where. It is one of the best diagnostic tools available
To do that, you will use the following syntax:
“diagnose sniffer packet”
Followed by the interface you want to listen to, different filters, verbosity levels, and more.
So let’s look at some of the best filters using the diag sniffer packet.
Although I had recently bought the new FortiGate 60F firewall https://amzn.to/3dNUIon all the screenshots were taken using a Virtual Machine, running the latest firmware fortiOS 7.0
To capture packets on different interfaces, different ports, different protocols, you will need to open your command line, and the syntax goes like that:
“diag sniffer packet” that’s the basic, default syntax.
From here you can choose your interfaces you can choose either port one, or any other interface. You can also choose “any” which will capture traffic on all interfaces
We will choose any interface
Following that, you can filter the traffic. filtering the traffic can be on the specific port ( port 80, 53…) traffic protocols ( TCP, ICMP…), source destinations. packet size, you can use combinations such as “or”, “and”. you can do just about anything
Following the filter, you have the verbosity level. let’s now choose none for the filter. And let’s choose the different verbosity levels.
there are several verbosity levels. Let’s choose the first one and see what we get Following the verbosity level, you can choose the packet count, so let’s just choose 10 packets.
Press Enter. And here we have 10 packets, showing the IP headers, showing the protocol and you can also see the different flags, the TCP flags, the sequence number, and so on.
So let’s do the same now just change it from verbosity level to 2.
In verbosity, level two, you have the hex representation of the IP packets. There it is, and you also have the ASCII representation.
Now let’s just use verbosity 3.
Here, you also have the Ethernet headers in hexadecimal.
And now let’s choose verbosity, 4 ( which I always use ), And in verbosity 4, (very similar to verbosity 1 ), you also have the interface names (“port 1” port 2” ) which is very helpful, in troubleshooting connectivity
That was very basic now let’s start to use filters.
Our first filter will help us to capture traffic that is happening on port 80.
If you want to capture specific traffic to specific ports, use the port and the number. Alright, so let’s just use that.
The syntax is “ diag sniffer packet any ‘port 80’ 4 10 “
And we can see that we’re having traffic that is destined or coming from Port 80.
The next filter is “host” if you wish to capture specific traffic from a specific host, you will use the host keyword and the IP address. So in my case, I have a Linux machine at the 10.0.5.7 IP address.
I’m seeing traffic that is coming from 10.0.5.7 or destined to 10.0.5.7.
If I need to filter out specific sources or destinations, I can use the “src” keyword 10.0.5.7. So here we can see traffic that is coming from that specific source.
And if I need specific destination traffic, so I can use “dst” and let’s choose my gateway 192.168.1.1.
If we want to capture different protocols, we can use the name of the protocol on the filter. So let’s catch the ARP protocol, so we will actually write down ARP and we can see different ARP traffic.
If we want to catch or to see if there are ICMP packets sent. Then we can see and yes, there we have different ICMP packets that are traveling towards their destination.
And now let’s catch TCP protocol with the different flags, we will just write down “TCP”.
at the beginning of this article, we have said that we can capture specific port traffic. we can also catch a range of ports using the keyword “portrange” and a hyphen between the ports, so let’s capture traffic from Port 80, up to Port 443.
If we want to catch traffic with different packet sizes ( less than or greater than ) we can also use that expression in our packet capture So we can use less than 64 bytes in our example. And we will catch traffic whose packet size is less than 64 bytes.
The last thing is when we want to use combinations as “and” “or” so let’s catch traffic to a specific destination port by using “and”
Our source is 10.0.5.7 and the destination port 80. And let’s use verbosity 3 with a packet count of 10 packets.
We can see that we have traffic that is destined for Port 80. We’re using verbosity 3, and we can also see the different hexadecimal representations of the packets themselves.
You can find more in my “Fortigate Firewall Diagnostics Packet Guide”