- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Sniffed packet counts appear different
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Not applicable
Created on 08-25-2008 11:54 AM
Article Id
195796
Article
| Description | When sniffing the internal and external ports, the packet count is different when it should be the same. |
| Components |
|
| Steps or Commands | When sniffing the Internal port ( interfaces=[internal] There are total 60 bytes, the last two bytes are 0000. When sniffing the External port ( interfaces=[wan1] In this case, there are total 58 bytes, the last two bytes 0000 are lost. The two bytes 0000 is right the trailer for padding in the packet. This is normal behavior. On ingress, the sniffer sees the packet before the padding has been stripped. On egress, the sniffer sees the packet before it goes to the hardware and so before any additional padding is added. The stack looks like: TCP -- IP -- device -- driver -- hardware Outbound packets flow from left to right, and inbound packets flow right to left. The sniff is taken at the device layer for both ingress and egress. It is the IP (firewall) layer that strips padding on ingress. It is the hardware that adds padding on egress. Since it is the hardware that adds padding there is no way to make the sniffer show that padding on egress since it does not get added until after the sniff is taken and it is physically impossible to take the sniff after the packet has been sent to the hardware. |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.