Chapter 18 Troubleshooting : ­Troubleshooting tools : FortiOS diagnostics : Packet sniffing and packet capture : Packet capture
  
Packet capture
FortiOS 5 includes packet capture to the web-based manager. To configure packet capture filters, go to System > Network > Packet Capture.
When you add a packet capture filter, enter the following information and select OK.
 
Interface
Select the interface to sniff from the dropdown menu.
You must select one interface. You cannot change the interface without deleting the filter and creating a new one, unlike the other fields.
Max Packets to Capture
Enter the number of packets to capture before the filter stops.
This number cannot be zero. You can halt the capturing before this number is reached.
Enable Filters
Select this option to specify your filter fields
Host(s)
Enter one or more hosts IP address
Separate multiple hosts with commas. Enter a range using a dash without spaces, for example 172.16.1.5-172.16.1.15 or enter a subnet.
Port(s)
Enter one or more ports to capture on the selected interface.
Separate multiple ports with commas. Enter a range using a dash without spaces, for example 88-90
VLAN(s)
Enter one or more vlans (if there is any).
Separate multiple vlans with commas.
Protocol
Enter one or more protocol. Separate multiple protocol with commas. Enter a range using a dash without spaces, for example 1-6, 17, 21-25
Include IPv6 packets
Select this option if you are troubleshooting IPv6 networking, or if your network uses IPv6. Otherwise, leave it disabled.
Capture Non-IP packets
The protocols available in the list are all IP based except for ICMP (ping). To capture non-IP based packets select this feature. Some examples of non-IP packets include IPsec, IGMP, ARP, and as mentioned ICMP.
If you select a filter and go back to edit it, you have the added option of starting and stopping packet capture in the edit window, or downloading the captured packets. You can also see the filter status and the number of packets captured.
You can also select the filter and select Start to start capturing packets. While the filter is running, you will see the number of captured packets increasing until it reaches the max packet count or you select Stop. While the filter is running you cannot download the output file.
When the packet capture is complete, you can select Download to send the packet capture filter captured packets to your local computer as a *.pcap file. To read this file format, you will need to use Wireshark or a similar third party application. Using this tool you will have extensive analytics available to you and the full contents of the packets that were captured.