Fortigate tcp dump
October 9, 2008In order to see a tcp dump of information flowing through a fortigate, the diagnose sniffer command can be used from cli. The command syntax:
diagnose sniffer packet {interface | all} ‘net z.z.z.z/p and/or host x.x.x.x and/or port yyy’ [options]
You can narrow your search by filtering on any or the following:
net/prefix : print a whole netblock
host : print only one host
port : print only a specific port number
and/or : allows additional options
The Options field at the end are as follow:
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name
Option ’4′ is particularly useful, in that it shows the associated interface for the directional traffic
Examples:
diagnose sniffer packet any ‘net 10.0.0.0/8 and host 172.16.16.14 and port 3389′
diagnose sniffer packet any ‘host 10.4.131.97 and host 172.16.16.14 and port 3389′ 4
