diagnose commands
You can use the CLI diagnose commands to gather diagnostic information that can be useful to Fortinet Customer Care when diagnosing any issues with your system.
The following examples show the lists of diagnose commands:
FortiADC-VM # diagnose ?
debug debug
hardware hardware
netlink netlink
sniffer sniffer
system system
FortiADC-VM # diagnose debug ?
application set/get debug level for daemons
cli set/get debug level for CLI and CMDB
disable disable debug output
enable enable debug output
info show debug info
kernel set/get debug level for kernel
FortiADC-VM # diagnose hardware get ?
deviceinfo list device status and information
ioport read data from an I/O port
pciconfig list information on PCI buses and connected devices
sysinfo list system hardware information
FortiADC-VM # diagnose netlink ?
backlog set netlink backlog length
device display network devices statistic information
interface netlink interface
ip ip
ipv6 ipv6
neighbor netlink neighbor
neighbor6 netlink neighbor for ipv6
queue-len set netlink TX queue length
redundant redundant interface
route netlink routing table
route6 netlink routing table
rtcache netlink realtime cache
tcp display tcp statistic information
udp display udp statistic information
FortiADC-VM # diagnose system ?
top show top process
vmware check vmware state
diagnose command example: packet sniffer
The FortiADC OS includes the same packet sniffer utility as FortiGate. It works the same way. Support engineers who are familiar with the FortiGate sniffer might instruct you to use it instead of tcpdump.
To use the sniffer, connect to the CLI and enter the following command:
diagnose sniffer packet [{any | <interface_name>} [{none | '<filter_str>'} [{1 | 2 | 3} [<packets_int>]]]]
• <interface_name> is either the name of a network interface, such as port1, or enter any for all interfaces.
• '<filter_str>' is the sniffer filter that specifies which protocols and port numbers that you do or do not want to capture, such as
'tcp port 80', or enter
none for no filters. Filters use
tcpdump syntax.
• {1 | 2 | 3} is an integer indicating whether to display the network interface names, packet headers, and/or payloads for each packet that the network interface sends, receives, or sees:
• 1—Display the packet capture timestamp, plus basic fields of the IP header: the source IP address, the destination IP address, protocol name, and destination port number.
Does not display all fields of the IP header; it omits:
• IP version number bits
• Internet header length (ihl)
• type of service/differentiated services code point (tos)
• explicit congestion notification
• total packet or fragment length
• packet ID
• IP header checksum
• time to live (TTL)
• IP flag
• fragment offset
• options bits
e.g.:
• 2—All of the output from
1, plus the packet payload in both hexadecimal and ASCII. e.g.:
• 3—All of the output from
2, plus the link layer (Ethernet) header. e.g.:
• <packets_int> is the number of packets the sniffer reads before stopping. Packet capture output is printed to your CLI display until you stop it by pressing Ctrl+C, or until it reaches the number of packets that you have specified to capture.
For example, you might capture all TCP port 443 (typically HTTPS) traffic occurring through port1, regardless of its source or destination IP address. The capture uses a high level of verbosity (indicated by 3).
A specific number of packets to capture is not specified. As a result, the packet capture continues until the administrator presses Ctrl+C. The sniffer then confirms that five packets were seen by that network interface.
Verbose output can be very long. As a result, output shown below is truncated after only one packet.
FortiADC# diagnose sniffer packet port1 'tcp port 443' 3
interfaces=[port1]
filters=[tcp port 443]
10.651905 192.168.0.1.50242 -> 192.168.0.2.443: syn 761714898
0x0000 0009 0f09 0001 0009 0f89 2914 0800 4500 ..........)...E.
0x0010 003c 73d1 4000 4006 3bc6 d157 fede ac16 .<s.@.@.;..W....
0x0020 0ed8 c442 01bb 2d66 d8d2 0000 0000 a002 ...B..-f........
0x0030 16d0 4f72 0000 0204 05b4 0402 080a 03ab ..Or............
0x0040 86bb 0000 0000 0103 0303 ..........
Instead of reading packet capture output directly in your CLI display, you usually should save the output to a plain text file using your CLI client. Saving the output provides several advantages. Packets can arrive more rapidly than you may be able to read them in the buffer of your CLI display, and many protocols transfer data using encodings other than US-ASCII. It is often, but not always, preferable to analyze the output by loading it into in a network protocol analyzer
application such as Wireshark (http://www.wireshark.org/).
For example, you could use PuTTY or Microsoft HyperTerminal to save the sniffer output to a file. Methods may vary. See the documentation for your CLI client.
Requirements
• Terminal emulation software such as
PuTTY • A plain text editor such as Notepad
• A Perl interpreter
• Network protocol analyzer software such as
Wireshark To view packet capture output using PuTTY and Wireshark:
1. On your management computer, start PuTTY.
2. Use PuTTY to connect to the FortiADC appliance using either a local console, SSH, or Telnet connection.
3. Type the packet capture command, such as:
diagnose sniffer packet port1 'tcp port 443' 3
but do not press Enter yet.
4. In the upper left corner of the window, click the PuTTY icon to open its drop-down menu, then select
Change Settings.
A dialog appears where you can configure PuTTY to save output to a plain text file.
5. In the Category tree on the left, go to Session > Logging.
6. In Session logging, select Printable output.
7. In Log file name, click the Browse button, then choose a directory path and file name such as C:\Users\MyAccount\packet_capture.txt to save the packet capture to a plain text file. (You do not need to save it with the .log file extension.)
8. Click Save.
9. Press Enter to send the CLI command to the FortiADC appliance, beginning packet capture.
10. If you have not specified a number of packets to capture, when you have captured all packets that you want to analyze, press Ctrl + C to stop the capture.
11. Close the PuTTY window.
12. Open the packet capture file using a plain text editor such as Notepad.
13. Delete the first and last lines, which look like this:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2015.07.25 11:34:40 =~=~=~=~=~=~=~=~=~=~=~=
FortiADC-2000 #
These lines are a PuTTY timestamp and a command prompt, which are not part of the packet capture. If you do not delete them, they could interfere with the script in the next step.
14. Convert the plain text file to a format recognizable by your network protocol analyzer application.
You can convert the plain text file to a format (.pcap) recognizable by Wireshark (formerly called Ethereal) using the fgt2eth.pl Perl script. To download fgt2eth.pl, see the Fortinet Knowledge Base article
Using the FortiOS built-in packet sniffer.
To use fgt2eth.pl, open a command prompt, then enter a command such as the following:
fgt2eth.pl -in packet_capture.txt -out packet_capture.pcap
where:
• fgt2eth.pl is the name of the conversion script; include the path relative to the current directory, which is indicated by the command prompt
• packet_capture.txt is the name of the packet capture’s output file; include the directory path relative to your current directory
• packet_capture.pcap is the name of the conversion script’s output file; include the directory path relative to your current directory where you want the converted output to be saved
15. Open the converted file in your network protocol analyzer application. For further instructions, see the documentation for that application.
For additional information on packet capture, see the Fortinet Knowledge Base article
Using the FortiOS built-in packet sniffer.
