Packet capture


In this example you will look inside the headers of the HTTP and HTTPS packets on your network.

Packet capture is also called a network tapping, packet sniffing, or logic analyzing.

To use packet capture through the GUI, your FortiGate model must have internal storage and disk logging must be enabled. If you are not sure whether your model supports disk logging, check the FortiGate Feature/Platform Matrix.

Find this recipe for other FortiOS versions
5.2 | 5.6

1. Creating packet capture filters

Go to Network > Packet Capture and create a new filter.
If the Packet Capture option does not appear in the main GUI, you can also use the URL https://[management-IP]/ng/page/p/firewall/sniffer/ to access this menu, substituting the correct IP address.
The simplest filter just captures all of the packets received by an interface. This filter captures 10 packets received by the lan interface.
You can select Enable Filters to be more specific about the packets to capture.
This filter captures 100 HTTP and HTTPS packets (port 80 and 443) received by the lan interface that have a source or destination address in the range

This filter captures the first 4000 Stream Control Transmission Protocol (SCTP) packets received by the wan1 interface.

This filter captures the first 1000 DNS packets (port 53) querying the Google DNS server (IP address with VLAN IDs 37 or 39.

2. Results

Running packet capture filters may affect FortiGate performance.

Go to Network > Packet Capture, choose a filter, and select the Play icon. You can watch the filter capture packets. When the number of packets specified in the filter are captured the filter stops.

You can stop and restart multiple filters at any time.

After a filter runs, select and edit it. The option to download the capture packets is available.

You can open the file with a .pcap file viewer like Wireshark.

For further reading, check out Packet Capture in the FortiOS 5.6 Handbook.


Victoria Martin

Victoria Martin

Technical Writer at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

While packet capture is enabled in the GUI, any hardware acceleration on the interface will be disabled.
This URL may show the Packet Capture menu on all FortiGates, even those that do not have disk logging enabled (and cannot use the feature).
Protocols are identified using IP protocol numbers; for example, SCTP is protocol 132.