Chapter 18 Troubleshooting : ­Troubleshooting tools : FortiOS diagnostics : Packet sniffing and packet capture : Packet sniffing
  
Packet sniffing
Before you start sniffing packets on the CLI, you should be prepared to capture the output to a file — there can be huge amounts of data that you will not be able to see without saving it to a file. One method is to use a terminal program like puTTY to connect to the FortiGate unit’s CLI. Then once the packet sniffing count is reached you can end the session and analyze the output in the file.
Details within packets passing through particular interfaces can be displayed using the packet sniffer with the following command:
diag sniffer packet <interface> <filter> <verbose> <count> <tsformat>
The <interface> value is required, with the rest being optional. If not included the default values will be “none”.
For example the simplest valid sniffer command would be:
diag sniffer packet any
 
The <interface> value can be any physical or virtual interface name. Use any to sniff packets on all interfaces.
 
The <filter> value limits the display of packets using filters, including Berkeley Packet Filtering (BPF) syntax. The <filter> value must be enclosed in quotes.
'[[src|dst] host <host_name_or_IP1>] [[src|dst] host <host_name_or_IP2>] [[arp|ip|ip6|gre|esp|udp|tcp] [port_no]] [[arp|ip|ip6|gre|esp|udp|tcp] [port_no]]‘
If a second host is specified in the filter, only the traffic between the two hosts will be displayed. Optionally, you can use logical OR to match only one of the hosts, or match one of multiple protocols or ports. When defining a port, there are up to two parts — protocol and port number.
For example, to display UDP 1812 traffic or TCP 8080 traffic, use the following:
'udp port 1812 or tcp port 8080’
 
To display all IP traffic that has a source of 192.168.1.2 and a destination of 192.168.2.3:
'ip src host 192.168.1.2 and dst host 192.168.2.3’
 
The <verbose> option allows different levels of information to be displayed. The verbose levels include:
1 Print header of packets
2 Print header and data from the IP header of the packets
3 Print header and data from the Ethernet header of the packets
4 Print header of packets with interface name
5 Print header and data from ip of packets with interface name
6 Print header and data from ethernet of packets with interface name
The <count> value indicates the number of packets to sniff before stopping. If this variable is not included, or is set to zero, the sniffer will run until you manually halt it with Ctrl-C.
The <tsformat> value define the format of timestamp. It can be:
a: absolute UTC time, yyyy-mm-dd hh:mm:ss.ms
l: absolute LOCAL time, yyyy-mm-dd hh:mm:ss.ms
otherwise: relative to the start of sniffing, ss.ms