FORTIGATE - Packet Sniffer
From Wiki.IT-Arts.net
Verbose Levels Detail
- 1: print header of packets.
- 2: print header and data from IP of packets.
- 3: print header and data from Ethernet of packets.
- 4: print header of packets with interface name.
- 5: print header and data from IP of packets with interface name.
- 6: print header and data from Ethernet of packets with interface name.
Basic Sniffing Command
diag sniffer packet <interface> <'filter'> <verbose> <count> a
- <interface> can be an interface name or 'any' for all interfaces.
- <'filter'> is a very powerful filter functionality which will be described in more detail.
- <verbose> means the level of verbosity as described already.
- <count> the number of packets the sniffer reads before stopping.
- a – timestamps the packets with the absolute UTC time.
- l - (small letter L) timestamps the packets with LOCAL time.
Full Examples
diag sniffer packet any "host 3.210.115.14 and icmp" 4 l 0
diag sniffer packet wan1 'host 10.109.16.137 and (icmp or tcp)' 1
diag sniffer packet wan1 'host 10.109.16.137 and host 172.26.48.21 and tcp port 80' 1 3
Sniffing MAC Addresses
Below is the command to sniff packet by MAC Address on FortiGate with CLI commands:
Source MAC
To sniff the MAC Address when it is 'Source MAC = 00:09:0f:89:10:ea' :
Method 1
diagnose sniffer packet <interface> "ether src 00:09:0f:89:10:ea"
Method 2
diagnose sniffer packet any '(ether[6:4]=0x00090f89) and (ether[10:2]=0x10ea)' 4
Destination MAC
To sniff the MAC Address when it is 'Destination MAC = 00:09:0f:89:10:ea' :
Method 1
diagnose sniffer packet <interface> "ether dst 00:09:0f:89:10:ea"
Method 2
diagnose sniffer packet any '(ether[0:4]=0x00090f89) and (ether[4:2]=0x10ea)' 4
Source Or Destination MAC
To sniff the MAC Address when it is 'Source/Destination MAC = 00:09:0f:89:10:ea' :
diagnose sniffer packet <interface> "ether host 00:09:0f:89:10:ea"
