Using the traffic capture

Maintaining the system : Using the traffic capture

When troubleshooting networks, it helps to look inside the contents of the packets. This helps to determine if the packets, route, and destination are all what you expect. Traffic capture can also be called packet sniffing, a network tap, or logic analyzing.

Packet sniffing tells you what is happening on the network at a low level. This can be very useful for troubleshooting problems, such as:

• finding missing traffic

• seeing if sessions are setting up properly

• locating ARP problems such as broadcast storm sources and causes

• confirming which address a computer is using on the network if they have multiple addresses or are on multiple networks

• confirming routing is working as you expect

• intermittent missing PING packets.

If you are running a constant traffic application such as ping, packet sniffing can tell you if the traffic is reaching the destination, how the port enters and exits the FortiRecorder unit, if the ARP resolution is correct, and if the traffic is returning to the source as expected. You can also use packet switching to verify that NAT or other configuration is translating addresses or routing traffic the way that you want it to.

Before you start sniffing packets, you need to have a good idea of what you are looking for. Sniffing is used to confirm or deny your ideas about what is happening on the network. If you try sniffing without a plan to narrow your search, you could end up with too much data to effectively analyze. On the other hand, you need to sniff enough packets to really understand all of the patterns and behavior that you are looking for.

To capture the traffic

1. Go to Maintenance > System > Traffic Capture.

2. Click New.

3. Enter a description for the file generated from the captured traffic.

4. Enter the time period for performing the packet capture.

5. Specify which interface you want to capture.

6. If you want to limit the scope of traffic capture, in the IP/HOST field, enter a maximum of 3 IP addresses or host names for which you want to capture.

7. Select the filter for the traffic capture:

• Use protocol: Only UDP or TCP traffic on the specified port number will be captured.

• Capture all: All network traffic will be captured.

8. For Exclusion, enter the IP addresses/host names and port numbers for which do not want to capture.

9. Click Create.