Packet capture

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, you will set up and run some basic packet capture filters on your FortiGate and download and view the resulting .pcap file.

You can use packet capturing  to learn about network activity seen by your FortiGate by creating and saving packet capture filters that define the packets to capture. You can then run these filters at any time, download the resulting .pcap (packet capture) file, and use a tool like Wireshark to analyze the results.

To use packet capture through the GUI, your FortiGate model must have internal storage and disk logging must be enabled. If you are not sure whether your model supports disk logging, check the FortiGate Feature/Platform Matrix.

Find this recipe for other FortiOS versions
5.2 | 5.6

1. Creating packet capture filters

Go to System > Network > Packet Capture and create a new filter. Below are a few examples of different filters you can use.
 
If the Packet Capture option does not appear in the main GUI, you can also use the URL https://[management-IP]/p/firewall/sniffer/ to access this menu, substituting the correct IP address.
The simplest filter just captures all of the packets received by an interface. This example captures 10 packets received by the mgmt1 interface. 
 
 
You can select Enable Filters to restrict the packets to capture.
 
This filter captures 100 HTTP and HTTPS packets (port 80 and 443) received by the Ednet wireless interface that have a source or destination address in the range 172.20.120.10 to 172.20.120.20.
 
This filter captures the first 4000 Stream Control Transmission Protocol (SCTP) packets received by the port1 interface.
 
This filter captures the first 1000 DNS packets querying the Google DNS server (IP address 8.8.8.8) with VLAN IDs 37 or 39.
 

2. Results

Running packet capture filters may affect FortiGate performance.

Go to System > Network > Packet Capture, choose a filter, and select the Play icon. You can watch the filter capture packets. When the number of packets specified in the filter are captured the filter stops.

You can stop and restart multiple filters at any time.

 

Download any saved .pcap file to your computer. You can open the file with a .pcap file viewer like Wireshark.

 

For further reading, check out Monitoring in the FortiOS 5.2 Handbook.

 

Victoria Martin

Victoria Martin

Technical Writer at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
While packet capture is enabled in the GUI, any hardware acceleration on the interface will be disabled.
This URL may show the Packet Capture menu on all FortiGates, even those that do not have disk logging enabled (and cannot use the feature).
Protocols are identified using IP protocol numbers; for example, SCTP is protocol 132.