h1

Fortigate tcp dump

October 9, 2008

In order to see a tcp dump of information flowing through a fortigate, the diagnose sniffer command can be used from cli.   The command syntax:

diagnose sniffer packet {interface | all}  ‘net z.z.z.z/p and/or host x.x.x.x and/or port yyy’  [options]

You can narrow your search by filtering on any or the following:

net/prefix : print a whole netblock
host          : print only one host
port          : print only a specific port number
and/or      : allows additional options

The Options field at the end are as follow:
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name

Option ‘4’ is particularly useful, in that it shows the associated interface for the directional traffic

Examples:

diagnose sniffer packet any ‘net 10.0.0.0/8 and host 172.16.16.14 and port 3389’

diagnose sniffer packet any ‘host 10.4.131.97 and host 172.16.16.14 and port 3389’ 4

Advertisements

One comment

  1. I blog frequently and I genuinely appreciate your information. The
    article has truly peaked my interest. I will bookmark your site and keep checking for new information about once a week.
    I opted in for your RSS feed too.



Please leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s