FortiOS Sniffer (explained) – Part1

As my first post, I want to tell you about the sniffer function in Fortinet FortiOS.

In the FortiOS we have a sniffer similar to linux tcpdump, and the syntax is very close to tcpdump. We can export the result to wireshark using parameters and simply coping the output to a text file , and then analysing it, a bit more deeply using wireshark, also we can use  the “Capture Packet” option in to GUI, sometimes you can find this option in the “System -> Config -> Advanced” menu.


Example of tcpdump syntax.

The command to enable sniffing is based in these options:

diagnose sniffer packet  <tcpdump query>


FG620B # diagnose sniffer packet any ‘port 80 and host’ 4 400
filters=[port 80 and host]
0.255610 port1 in -> ack 26713809
0.264467 port1 in -> syn 3296101264
0.366340 port1 in -> fin 3675819849 ack 3467018882
0.391733 port1 in -> syn 4254269709
0.409071 port1 out -> fin 3736411734 ack 1144441981
0.418611 port1 in -> syn 3821974355
0.421061 port1 out -> syn 3710379784 ack 4254269710
0.422110 port1 in -> ack 3710379785
0.447897 port1 out -> syn 2250854333 ack 3821974356

We will discuss more about the FortiOS packet sniffer soon…

This entry was posted in FortiGate, Fortinet, FortiOS and tagged , , . Bookmark the permalink.