Created on 08-25-2008 11:54 AM
Description | When sniffing the internal and external ports, the packet count is different when it should be the same. |
Components |
|
Steps or Commands | When sniffing the Internal port ( interfaces=[internal] There are total 60 bytes, the last two bytes are 0000. When sniffing the External port ( interfaces=[wan1] In this case, there are total 58 bytes, the last two bytes 0000 are lost. The two bytes 0000 is right the trailer for padding in the packet. This is normal behavior. On ingress, the sniffer sees the packet before the padding has been stripped. On egress, the sniffer sees the packet before it goes to the hardware and so before any additional padding is added. The stack looks like: TCP -- IP -- device -- driver -- hardware Outbound packets flow from left to right, and inbound packets flow right to left. The sniff is taken at the device layer for both ingress and egress. It is the IP (firewall) layer that strips padding on ingress. It is the hardware that adds padding on egress. Since it is the hardware that adds padding there is no way to make the sniffer show that padding on egress since it does not get added until after the sniff is taken and it is physically impossible to take the sniff after the packet has been sent to the hardware. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.