Packet capture

In this example you will look inside the headers of the HTTP and HTTPS packets on your network.

Packet capture is also called a network tapping, packet sniffing, or logic analyzing.

To use packet capture through the GUI, your FortiGate model must have internal storage and disk logging must be enabled. If you are not sure whether your model supports disk logging, check the FortiGate Feature/Platform Matrix.

Find this recipe for other FortiOS versions
5.2 | 5.6

1. Creating packet capture filters

Go to Network > Packet Capture and create a new filter.
If the Packet Capture option does not appear in the main GUI, you can also use the URL https://[management-IP]/ng/page/p/firewall/sniffer/ to access this menu, substituting the correct IP address.
The simplest filter just captures all of the packets received by an interface. This filter captures 10 packets received by the lan interface.
You can select Enable Filters to be more specific about the packets to capture.
This filter captures 100 HTTP and HTTPS packets (port 80 and 443) received by the lan interface that have a source or destination address in the range

This filter captures the first 4000 Stream Control Transmission Protocol (SCTP) packets received by the wan1 interface.

This filter captures the first 1000 DNS packets (port 53) querying the Google DNS server (IP address with VLAN IDs 37 or 39.

2. Results

Running packet capture filters may affect FortiGate performance.

Go to Network > Packet Capture, choose a filter, and select the Play icon. You can watch the filter capture packets. When the number of packets specified in the filter are captured the filter stops.

You can stop and restart multiple filters at any time.

After a filter runs, select and edit it. The option to download the capture packets is available.

You can open the file with a .pcap file viewer like Wireshark.

For further reading, check out Packet Capture in the FortiOS 5.6 Handbook.


While packet capture is enabled in the GUI, any hardware acceleration on the interface will be disabled.
This URL may show the Packet Capture menu on all FortiGates, even those that do not have disk logging enabled (and cannot use the feature).
Protocols are identified using IP protocol numbers; for example, SCTP is protocol 132.