Packet capture

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, you will set up and run some basic packet capture filters on your FortiGate and download and view the resulting .pcap file.

You can use packet capturing  to learn about network activity seen by your FortiGate by creating and saving packet capture filters that define the packets to capture. You can then run these filters at any time, download the resulting .pcap (packet capture) file, and use a tool like Wireshark to analyze the results.

Find this recipe for other FortiOS versions
5.2 | 5.6

1. Creating packet capture filters

Go to System > Network > Packet Capture and create a new filter. Below are a few examples of different filters you can use.
 
If the Packet Capture option does not appear in the main GUI, you can also use the URL https://[management-IP]/p/firewall/sniffer/ to access this menu, substituting the correct IP address.
The simplest filter just captures all of the packets received by an interface. This example captures 10 packets received by the mgmt1 interface. 
 
 
You can select Enable Filters to restrict the packets to capture.
 
This filter captures 100 HTTP and HTTPS packets (port 80 and 443) received by the Ednet wireless interface that have a source or destination address in the range 172.20.120.10 to 172.20.120.20.
 
This filter captures the first 4000 Stream Control Transmission Protocol (SCTP) packets received by the port1 interface.
 
This filter captures the first 1000 DNS packets querying the Google DNS server (IP address 8.8.8.8) with VLAN IDs 37 or 39.
 

2. Results

Running packet capture filters may affect FortiGate performance.

Go to System > Network > Packet Capture, choose a filter, and select the Play icon. You can watch the filter capture packets. When the number of packets specified in the filter are captured the filter stops.

You can stop and restart multiple filters at any time.

 

Download any saved .pcap file to your computer. You can open the file with a .pcap file viewer like Wireshark.

 

For further reading, check out Monitoring in the FortiOS 5.2 Handbook.

 

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
Protocols are identified using IP protocol numbers; for example, SCTP is protocol 132.
  • H

    Hi,

    I assume you know that when logging is set to memory, packet capture will not be available on GUI. However, it is still accessible using the URL https://x.x.x.x/ng/page/p/firewall/sniffer/ … In this case, will the logs be stored on the disk or memory?

    • Victoria Martin

      Hi H,

      While the GUI for packet capture is available when logging is set to memory, I do not believe it will actually function.

  • Technical Support

    HI, the option “System > Network > Packet Capture” is not there on my Fortiwifi 60 – firmware 5.2.4. Do I need to do something to enable this?

  • Eduard Abramovich

    Hi,

    What about doing a pcap from the command line, I am just starting in my new job using Fortigate, we have a lot but I can’t find the option to do the capture, for example this: — diagnose sniffer packet any ‘host 192.168.1.100’ 6 —, but sometimes I don’t like to use the GUI, please.