FortiOS Sniffer (explained) – Part1

As my first post, I want to tell you about the sniffer function in Fortinet FortiOS.

In the FortiOS we have a sniffer similar to linux tcpdump, and the syntax is very close to tcpdump. We can export the result to wireshark using parameters and simply coping the output to a text file , and then analysing it, a bit more deeply using wireshark, also we can use  the “Capture Packet” option in to GUI, sometimes you can find this option in the “System -> Config -> Advanced” menu.

Imagem

Example of tcpdump syntax.

The command to enable sniffing is based in these options:

diagnose sniffer packet  <tcpdump query>

Example:

FG620B # diagnose sniffer packet any ‘port 80 and host 172.17.1.63’ 4 400
interfaces=[any]
filters=[port 80 and host 172.17.1.63]
0.255610 port1 in 172.17.1.63.39341 -> 186.192.82.67.80: ack 26713809
0.264467 port1 in 172.17.1.63.39294 -> 67.215.65.130.80: syn 3296101264
0.366340 port1 in 172.17.1.63.39332 -> 76.13.114.90.80: fin 3675819849 ack 3467018882
0.391733 port1 in 172.17.1.63.39342 -> 74.125.234.17.80: syn 4254269709
0.409071 port1 out 62.146.124.74.80 -> 172.17.1.63.39337: fin 3736411734 ack 1144441981
0.418611 port1 in 172.17.1.63.39344 -> 74.125.234.13.80: syn 3821974355
0.421061 port1 out 74.125.234.17.80 -> 172.17.1.63.39342: syn 3710379784 ack 4254269710
0.422110 port1 in 172.17.1.63.39342 -> 74.125.234.17.80: ack 3710379785
0.447897 port1 out 74.125.234.13.80 -> 172.17.1.63.39344: syn 2250854333 ack 3821974356

We will discuss more about the FortiOS packet sniffer soon…

This entry was posted in FortiGate, Fortinet, FortiOS and tagged , , . Bookmark the permalink.