Chapter 19 Virtual Domains : Troubleshooting Virtual Domains : General VDOM tips and troubleshooting : Perform a sniffer trace : How to sniff packets
  
How to sniff packets
When you are using VDOMs, you must be in a VDOM to access the diag sniffer command. At the global level, the command is not available. This is limit the packets only to the ones on your VDOM, and protects the privacy of other VDOM clients.
The general form of the internal FortiOS packet sniffer command is:
 
diag sniffer packet <interface_name> <‘filter’> <verbose> <count>
 
To stop the sniffer, type CTRL+C.
<interface_name>
The name of the interface to sniff, such as “port1” or “internal”. This can also be “any” to sniff all interfaces.
<‘filter’>
What to look for in the information the sniffer reads. “none” indicates no filtering, and all packets will be displayed as the other arguments indicate.
The filter must be inside single quotes (‘).
<verbose>
The level of verbosity as one of:
1 - print header of packets
2 - print header and data from IP of packets
3 - print header and data from Ethernet of packets
<count>
The number of packets the sniffer reads before stopping. If you don’t put a number here, the sniffer will run forever unit you stop it with <CTRL C>.
For a simple sniffing example, enter the CLI command diag sniffer packet port1 none 1 3. This will display the next 3 packets on the port1 interface using no filtering, and using verbose level 1. At this verbosity level you can see the source IP and port, the destination IP and port, action (such as ack), and sequence numbers.
In the output below, port 443 indicates these are HTTPS packets, and 172.20.120.17 is both sending and receiving traffic.
Head_Office_620b # diag sniffer packet port1 none 1 3
interfaces=[port1]
filters=[none]
0.545306 172.20.120.17.52989 -> 172.20.120.141.443: psh 3177924955 ack 1854307757
 
0.545963 172.20.120.141.443 -> 172.20.120.17.52989: psh 1854307757 ack 3177925808
 
0.562409 172.20.120.17.52988 -> 172.20.120.141.443: psh 4225311614 ack 3314279933
For a more advanced example of packet sniffing, the following commands will report packets on any interface travelling between a computer with the host name of PC1 and the computer with the host name of PC2. With verbosity 4 and above, the sniffer trace will display the interface names where traffic enters or leaves the FortiGate unit. Remember to stop the sniffer, type CTRL+C. Note that PC1 and PC2 may be VDOMs.
 
FGT# diagnose sniffer packet any "host <PC1> or host <PC2>" 4
 
or
 
FGT# diagnose sniffer packet any "(host <PC1> or host <PC2>) and icmp" 4
The following sniffer CLI command includes the ARP protocol in the filter which may be useful to troubleshoot a failure in the ARP resolution (for instance PC2 may be down and not responding to the FortiGate ARP requests).
 
FGT# diagnose sniffer packet any "host <PC1> or host <PC2> or arp" 4