Professional Documents
Culture Documents
Advanced Troubleshooting by Sniffing Packets (Packet Capture)
Advanced Troubleshooting by Sniffing Packets (Packet Capture)
Advanced Troubleshooting by Sniffing Packets (Packet Capture)
Solution
You can perform some basic packet sniffing and network troubleshooting without using packet sniffing filters.
However, with filters, you can fine tune your troubleshooting to the point of being able to find a specific ping
packet on a busy network.
When packet sniffing, the filter field is very flexible. By using the filter option, you can:
match the type of packet (arp, ip, gre, esp, udp, tcp, icmp)
Sniffing a port and specifying multiple hosts using AND and OR operators
When a TCP session is created, the destination port is set to a known port number for example, port 80 is
commonly used for HTTP sessions. But the source port is randomly assigned. The unknown source port can
make troubleshooting difficult. However, the FortiGate packet sniffer can match the known port if it is the
source or destination port you do not need to know which port.
Lets check HTTP packets going between IP 172.20.120.18 (the FortiGate) and on either 10.10.80.110 (wifi
interface called Star) or 10.10.10.100 (internal LAN interface).
diag sniffer packet any "port 80 and host 172.20.120.18 and (host 10.10.80.110 or host 10.10.10.100)" 4
interfaces=[any]
filters=[port 80 and host 172.20.120.18 and (host 10.10.10.100 or host
10.10.80.110)]
5.036340 internal in 10.10.10.100.58753 -> 172.20.120.18.80: syn 4189154
5.036664 internal out 172.20.120.18.80 -> 10.10.10.100.58753: syn 1354149395
ack 4189155
6.464015 Star out 172.20.120.18.80 -> 10.10.80.110.56791: syn 2000204115 ack
571678006
6.471966 Star in 10.10.80.110.56791 -> 172.20.120.18.80: ack 2000204116
6.474720 Star in 10.10.80.110.56791 -> 172.20.120.18.80: psh 571678006 ack
2000204116
5.036837 internal in 10.10.10.100.58753 -> 172.20.120.18.80: ack 1354149396
5.037023 internal in 10.10.10.100.58753 -> 172.20.120.18.80: psh 4189155 ack
1354149396
6.463686 Star in 10.10.80.110.56791 -> 172.20.120.18.80: syn 571678005
Since either the source or destination will be using port 80, all HTML traffic between those two computers will
match the filter and be displayed. SSH and HTTPS traffic uses different ports, so that traffic will not be
displayed. The first number of each line of output will vary between sources and is a good way to quickly
determine which IP addresses are in that session.
If your FortiGate unit has NP2 interfaces that are offloading traffic, this will change the
sniffer trace. Before performing a trace on any NP2 interfaces, you should disable
offloading on those interfaces.
Best practices
Here are some tips that will improve your troubleshooting using the packet sniffer.
Enabling the sniffer will consume additional CPU resources. This can be as high as an additional 25
percent of CPU usage on low-end models. Therefore, enabling this on a unit that is experiencing
excessively high CPU usage, can only render the situation worse. If you must perform a sniff, keep the
sniffing sessions short and keep the filter specific.
Try to always include ICMP in the sniffer filter. You may capture an ICMP error message that can help
identify the cause of the problem. For example:
diag sniff packet interface wan1 'tcp port 3389 or icmp' 3
Use the any interface to sniff all FortiGate unit interfaces. You can use the "any" interface if you want to
confirm that a specific packet is sent and received by different FortiGate interfaces. The any interface is
also useful if you are not sure which interface will send or receive the packet. An example using the any
interface:
diag sniff packet any 'tcp port 3389' 3
The FortiGate unit may not display all packets if too much information is requested. When this occurs, the
FortiGate unit will log the following message once the trace is terminated:
12151 packets received by filter
3264 packets dropped by kernel
When this occurs, it is possible that what you were attempting to capture, was not actually captured. In
order to avoid this, try to make the filters more specific, reduce the verbosity level, or run the sniffer
during a lower traffic period.
The packet timestamps, as displayed by the sniffer, may become skewed or delayed under high load
conditions. This may occur even if no packets were dropped. Therefore, it is not recommended that you
rely on these values in order to troubleshoot or measure performance issues that require absolute precise
timing.
Short Ethernet frames sent by the FortiGate unit may appear to be under the minimum length of 64 bytes
(also known as runts) and will not be displayed by the sniffer. This is because the sniffer does not display
any Ethernet Trailer/Padding information, although it is sent over the network.
The Ethernet source and/or destination MAC addresses may be incorrect when using the "any" interface.
They may be displayed as all zeros (00:00:00:00:00:00) or 00:00:00:00:00:01.
Try to always include ICMP in the sniffer filter. You may capture an ICMP error message that can help
identify the cause of the problem. For example, diag sniff packet interface wan1 'tcp port
3389 or icmp' 3
If you are sniffing VLAN packets, you cannot have any filter configured if you want to see the VLAN tags.
For example diag sniffer packet wan1 icmp will not show the tags where diag sniffer
packet wan1 will.