You are here: Using Certificates in HTTPS Clusters > Troubleshooting > Using tcpdump

Using tcpdump

Note - You must have administrator privileges on your FortiADC to use the tcpdump feature.

tcpdump is a packet analyzer tool that can be used to analyze FortiADC packet activity to/from:

an interface (port)
an aggregated interface
VLAN
cluster
server

It prints the contents of network packets and allows you to intercept and display TCP/IP and other packets being transmitted or received over the network on which the appliance is installed. It. prints out a description of the contents of packets that match Boolean expressions and saves the packet data to a *.tgz file stored in .../var/crash in the FortiADC file system. The file can then be used for later analysis. You can capture packets from a maximum of 5 objects at one time.

The flexibility provided by FortiADC's tcpdump feature is that you can capture packets based on header information, capture packets to/from servers or cluster and ports, or capture packets to/from objects based on protocol, such as ICMP.

In all cases, only packets that match expressions will be processed by tcpdump.

tcpdump is used with the FortiADC CLI using the eqcli > diags tcpdump commands or in diags context. The number of packets captured can be specified by either command line syntax or by manually halting a capture-in-progress using CTRL+C to stop it. For example, if you need to capture packets from a server (sv01) you would enter the following:

eqcli diags > tcpdump count 50 capture server sv01

In this example, tcpdump will capture 50 packets to/from server sv01 and store the capture to .../var/crash in the FortiADC file system. Since the number of packets to capture is specified, it is not necessary to use CTRL+C to stop the capture.

	Internally, FortiADC stores up to 10MB in up to 10-1MB raw packet capture files. That is, 1MB files are filled with capture data until a maximum of 10 files are full. When the 10 files are full, incoming captures will overwrite the first 1MB file, then the 2nd, and, so on. In the event that a packet count is not specified in the CLI syntax, this mechanism prevents captured data from exceeding FortiADC's 10MB capacity.

Internally, FortiADC stores up to 10MB in up to 10-1MB raw packet capture files. That is, 1MB files are filled with capture data until a maximum of 10 files are full. When the 10 files are full, incoming captures will overwrite the first 1MB file, then the 2nd, and, so on. In the event that a packet count is not specified in the CLI syntax, this mechanism prevents captured data from exceeding FortiADC's 10MB capacity.

The tcpdump files that will be stored in the FortiADC file system will be in the following format:

tcpdump_objecttypeobjectname-tcp-pcap_MM_DD_YY_HH-MM{AM|PM}.tgz

where objecttype can be;

iface - an interface
agr - an aggregated interface
sv- a server
vlan- a vlan
cl- a cluster

The time stamp in the file name is the time that the file was generated.

Foreground Feature

You also have the option of printing the output of a tcpdump capture to your screen, rather than to a pcap, Using the fg command within the CLI syntax, this option you can capture one instance at a time. In the example below, 10 packets are to be captured from a cluster cl-http.

eqcli > diags tcpdump fg count 10 capture cluster cl-http

tcpdump: Press Ctrl+C to quit.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on wm0, link-type EN10MB (Ethernet), capture size 65535 bytes

12:33:35.312242 ARP, Request who-has 172.16.166.10 tell 172.16.128.1, length 46

12:33:35.312253 ARP, Reply 172.16.166.10 is-at 00:90:0b:29:89:88 (oui Unknown),

length 28

12:33:35.312342 IP 192.168.10.19.49749 > 172.16.166.10.http: Flags [S], seq

1452094800, win 5840, options [mss 1460,sackOK,TS val 6931863 ecr 0,nop,wscale

6], length 0

12:33:35.312374 IP 172.16.166.10.http > 192.168.10.19.49749: Flags [S.], seq

771217372, ack 1452094801, win 46417, options [mss 1460,nop,wscale 4,nop,nop,TS

val 1 ecr 6931863,sackOK,nop,nop], length 0

12:33:35.313494 IP 192.168.10.19.49750 > 172.16.166.10.http: Flags [S], seq

1451122556, win 5840, options [mss 1460,sackOK,TS val 6931863 ecr 0,nop,wscale

6], length 0

12:33:35.313513 IP 172.16.166.10.http > 192.168.10.19.49750: Flags [S.], seq

778147759, ack 1451122557, win 57213, options [mss 1460,nop,wscale 4,nop,nop,TS

val 1 ecr 6931863,sackOK,nop,nop], length 0

12:33:35.314834 IP 192.168.10.19.49752 > 172.16.166.10.http: Flags [S], seq

1457919162, win 5840, options [mss 1460,sackOK,TS val 6931863 ecr 0,nop,wscale

6], length 0

12:33:35.314835 IP 192.168.10.19.49751 > 172.16.166.10.http: Flags [S], seq

1459230960, win 5840, options [mss 1460,sackOK,TS val 6931863 ecr 0,nop,wscale

6], length 0

12:33:35.314842 IP 192.168.10.19.49753 > 172.16.166.10.http: Flags [S], seq

1461671172, win 5840, options [mss 1460,sackOK,TS val 6931863 ecr 0,nop,wscale

6], length 0

12:33:35.314847 IP 172.16.166.10.http > 192.168.10.19.49751: Flags [S.], seq

793126319, ack 1459230961, win 39153, options [mss 1460,nop,wscale 4,nop,nop,TS

val 1 ecr 6931863,sackOK,nop,nop], length 0

10 packets captured

409 packets received by filter

0 packets dropped by kernel

12000004: You have 8 pending alert notifications.

eqcli >

Using Custom Filtering Expressions

Custom filtering expressions can be used in the tcpdump CLI syntax that allow you to trim out various types of traffic. You can combine them in different ways to find exactly what you're looking for. PCAP filtering expressions are used in these cases. Refer to www.tcpdump.org for detailed descriptions of using PCAP filtering expressions.

When using custom PCAP filtering expressions, the expr command is used in the CLI syntax, For example,

eqcli diags> tcpdump capture iface|agr|vlan|cluster|server expr pcap filter expression

Examples are provided below that show header-based filtering, host-based filtering, port filtering, and protocol filtering. As described above, the resultant tcpdump_objecttypeobjectname-tcp-pcap_MM_DD_YY_HH-MM{AM|PM}.tgz file will be stored in FortiADC's file system in .../var/crash.

Examples

Expressions select which packets will be included in the packet capture. If no expression is given, ALL packets on the network with are from/to the specified VLAN/interface(port)/aggregated interface/cluster/server will be included. Otherwise, only packets for which the expression is "true" will be captured.

Header based filtering;

Capture only the SYN packets on an interface if01:

eqcli-diags> tcpdump capture iface if01 expr “tcp[13] &2!=0”

Capture only SYN or FIN packets on a vlan vl01:

eqcli-diags> tcpdump capture vlan vl01 expr “tcp[13] &3!=0”

Capture all packets to/from a cluster cl01 that are larger than 576 bytes:

eqcli-diags> tcpdump capture cluster cl01 expr “ip[2:2] > 576”

Host based filtering;

Capture traffic between a server sv01 and a host with IP #.#.#.#:

eqcli-diags> tcpdump capture server sv01 expr “host #.#.#.#”

Filtering Ports;

Capture all packets to/from a cluster cl01 and a port XX:

eqcli-diags> tcpdump capture cluster cl01 expr “port XX”

Protocol Filtering;

Capture all icmp packets to/from an interface instance if01:

eqcli-diags> tcpdump capture iface if01 expr “icmp”