Note - You must have administrator privileges on your FortiADC to use the tcpdump feature. |
tcpdump is a packet analyzer tool that can be used to analyze FortiADC packet activity to/from:
It prints the contents of network packets and allows you to intercept and display TCP/IP and other packets being transmitted or received over the network on which the appliance is installed. It. prints out a description of the contents of packets that match Boolean expressions and saves the packet data to a *.tgz
file stored in .../var/crash
in the FortiADC file system. The file can then be used for later analysis. You can capture packets from a maximum of 5 objects at one time.
The flexibility provided by FortiADC's tcpdump feature is that you can capture packets based on header information, capture packets to/from servers or cluster and ports, or capture packets to/from objects based on protocol, such as ICMP.
In all cases, only packets that match expressions will be processed by tcpdump.
tcpdump is used with the FortiADC CLI using the eqcli > diags tcpdump
commands or in diags
context. The number of packets captured can be specified by either command line syntax or by manually halting a capture-in-progress using CTRL+C to stop it. For example, if you need to capture packets from a server (sv01) you would enter the following:
eqcli diags > tcpdump count 50 capture server sv01 |
In this example, tcpdump will capture 50 packets to/from server sv01 and store the capture to .../var/crash
in the FortiADC file system. Since the number of packets to capture is specified, it is not necessary to use CTRL+C to stop the capture.
Internally, FortiADC stores up to 10MB in up to 10-1MB raw packet capture files. That is, 1MB files are filled with capture data until a maximum of 10 files are full. When the 10 files are full, incoming captures will overwrite the first 1MB file, then the 2nd, and, so on. In the event that a packet count is not specified in the CLI syntax, this mechanism prevents captured data from exceeding FortiADC's 10MB capacity. |
---|
The tcpdump files that will be stored in the FortiADC file system will be in the following format:
tcpdump_objecttypeobjectname-tcp-pcap_MM_DD_YY_HH-MM{AM|PM}.tgz
where objecttype
can be;
iface
- an interfaceagr
- an aggregated interfacesv
- a servervlan
- a vlancl
- a clusterThe time stamp in the file name is the time that the file was generated.
Foreground Feature
You also have the option of printing the output of a tcpdump capture to your screen, rather than to a pcap, Using the fg
command within the CLI syntax, this option you can capture one instance at a time. In the example below, 10 packets are to be captured from a cluster cl-http
.
eqcli > diags tcpdump fg count 10 capture cluster cl-http tcpdump: Press Ctrl+C to quit. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wm0, link-type EN10MB (Ethernet), capture size 65535 bytes 12:33:35.312242 ARP, Request who-has 172.16.166.10 tell 172.16.128.1, length 46 12:33:35.312253 ARP, Reply 172.16.166.10 is-at 00:90:0b:29:89:88 (oui Unknown), length 28 12:33:35.312342 IP 192.168.10.19.49749 > 172.16.166.10.http: Flags [S], seq 1452094800, win 5840, options [mss 1460,sackOK,TS val 6931863 ecr 0,nop,wscale 6], length 0 12:33:35.312374 IP 172.16.166.10.http > 192.168.10.19.49749: Flags [S.], seq 771217372, ack 1452094801, win 46417, options [mss 1460,nop,wscale 4,nop,nop,TS val 1 ecr 6931863,sackOK,nop,nop], length 0 12:33:35.313494 IP 192.168.10.19.49750 > 172.16.166.10.http: Flags [S], seq 1451122556, win 5840, options [mss 1460,sackOK,TS val 6931863 ecr 0,nop,wscale 6], length 0 12:33:35.313513 IP 172.16.166.10.http > 192.168.10.19.49750: Flags [S.], seq 778147759, ack 1451122557, win 57213, options [mss 1460,nop,wscale 4,nop,nop,TS val 1 ecr 6931863,sackOK,nop,nop], length 0 12:33:35.314834 IP 192.168.10.19.49752 > 172.16.166.10.http: Flags [S], seq 1457919162, win 5840, options [mss 1460,sackOK,TS val 6931863 ecr 0,nop,wscale 6], length 0 12:33:35.314835 IP 192.168.10.19.49751 > 172.16.166.10.http: Flags [S], seq 1459230960, win 5840, options [mss 1460,sackOK,TS val 6931863 ecr 0,nop,wscale 6], length 0 12:33:35.314842 IP 192.168.10.19.49753 > 172.16.166.10.http: Flags [S], seq 1461671172, win 5840, options [mss 1460,sackOK,TS val 6931863 ecr 0,nop,wscale 6], length 0 12:33:35.314847 IP 172.16.166.10.http > 192.168.10.19.49751: Flags [S.], seq 793126319, ack 1459230961, win 39153, options [mss 1460,nop,wscale 4,nop,nop,TS val 1 ecr 6931863,sackOK,nop,nop], length 0 10 packets captured 409 packets received by filter 0 packets dropped by kernel 12000004: You have 8 pending alert notifications. eqcli > |
Using Custom Filtering Expressions
Custom filtering expressions can be used in the tcpdump CLI syntax that allow you to trim out various types of traffic. You can combine them in different ways to find exactly what you're looking for. PCAP filtering expressions are used in these cases. Refer to www.tcpdump.org for detailed descriptions of using PCAP filtering expressions.
When using custom PCAP filtering expressions, the expr
command is used in the CLI syntax, For example,
eqcli diags> tcpdump capture iface|agr|vlan|cluster|server expr pcap filter expression |
Examples are provided below that show header-based filtering, host-based filtering, port filtering, and protocol filtering. As described above, the resultant tcpdump_objecttypeobjectname-tcp-pcap_MM_DD_YY_HH-MM{AM|PM}.tgz
file will be stored in FortiADC's file system in .../var/crash
.
Examples
Expressions select which packets will be included in the packet capture. If no expression is given, ALL packets on the network with are from/to the specified VLAN/interface(port)/aggregated interface/cluster/server will be included. Otherwise, only packets for which the expression is "true" will be captured.
Header based filtering;
eqcli-diags> tcpdump capture iface if01 expr “tcp[13] &2!=0” |
eqcli-diags> tcpdump capture vlan vl01 expr “tcp[13] &3!=0” |
eqcli-diags> tcpdump capture cluster cl01 expr “ip[2:2] > 576” |
Host based filtering;
eqcli-diags> tcpdump capture server sv01 expr “host #.#.#.#” |
Filtering Ports;
eqcli-diags> tcpdump capture cluster cl01 expr “port XX” |
Protocol Filtering;
eqcli-diags> tcpdump capture iface if01 expr “icmp” |