This article describes how to sniff wireless traffic using the FortiAP's radio and provides some same configurations.
Wireless sniffer on the FortiAP was introduced in 5.0
From FortiOS 5.0, wireless traffic can be sniffed using radios of the FortiAPs.
Only one radio is allowed to capture traffic.
If one radio is set to sniffer mode, the second radio will not have the ability to be configured as sniffer at the same time.
The radio configured in sniffer mode will capture traffic of its band.
For example, on a FAP220B if Radio1 is set to sniffer mode, 2.4GHz band traffic will be captured. If Radio2 is set to sniffer mode, 5GHz band traffic will be captured.
The sniffer trace is stored under tmp directory as wl_sniff.pcap.
This file will have to be downloaded using a TFTP server before changing the radio mode or rebooting the FortiAP.
Setting the radio to sniffer mode is configurable from CLI only. The GUI will reflect this change in the change in “Managed FortiAP” tab; the radio will be set to mode “Packet Sniffer”
config wireless-controller wtp-profile
edit sniffer
config radio-2
mode : sniffer
ap-sniffer-bufsize : 32
ap-sniffer-chan : 1
ap-sniffer-addr : 00:00:00:00:00:00
ap-sniffer-mgmt-beacon: enable
ap-sniffer-mgmt-probe: enable
ap-sniffer-mgmt-other: enable
ap-sniffer-ctl : enable
ap-sniffer-data : enable
end
Before the configuration change to sniffer mode:
Filters:
ap-sniffer-add can be used to filter the traffic of a single client.
Ap-sniffer-chan can be used to filter the traffic on a given channel
Downloading the sniffer trace from the ForitAP:
FAP # cd /tmp
FAP # ls
…
…
wl_sniff.cap
FAP # tftp
BusyBox v1.15.0 (2012-05-24 17:25:46 PDT) multi-call binary
Usage: tftp [OPTIONS] HOST [PORT]
Transfer a file from/to tftp server
Options:
-l FILE Local FILE
-r FILE Remote FILE
-g Get file
-p Put file
FAP # tftp -l wl_sniff.cap -p 10.10.10.6 69
The file is now available on the TFTP server.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.