Technical Tip : How to use debug flow and sniffer to capture IPv6 traffic

simonz_FTNT · ‎06-02-2015

Description

Debug flow may be used to debug the behaviour of the traffic in FortiGate device on IPv6. This article shows the option to capture IPv6 traffic.

The related article explains how to enable a filter in debug flow.

Scope

FortiGate.

Solution

CLI command set in Debug flow:

diagnose debug flow filter6 {option> {value>

The options available are:

addr      IPv6 address
clear     Clear filter
daddr     Destination address
dport     Destination port
negate    Inverse IPv6 filter
port      Port number
proto     Protocol number
saddr     Source address
sport     Source port
vd        Index of virtual domain

The filters have been defined, the debug flow may be started by issuing the following command:

diagnose debug flow trace start6 {number of trace line displayed>Example complete command

diagnose debug enable
diagnose debug flow filter6 clear
diagnose debug flow filter6 daddr 2001:4860:4860::8888
diagnose debug flow show function-name enable
diagnose debug flow show console enable
diagnose debug flow trace start6 999

It should be noted that the number “6” on the command (filter6, start6) represents IPv6:

IPv6 Packet capture (sniffer)

The following command is used to trace packets.

diagnose sniffer packet <interface> '<filter>' <level> <count> <tsformat>

<interface> <----- Can be 'any' or particular interface such as wan1, port1, etc.
'<filter>' <----- Can be 'host 2001:4860:4860::8888', 'port 80', 'host 2001:4860:4860::8888 or port 443', 'host 2001:4860:4860::8888 and icmp6', etc.

<count> <----- The number of packets to capture. If 0 or no value is defined, unlimited packets will be capture until ctrl+c is used to stop.

<tsformat> <----- 'a' for absolute UTC time, otherwise relative to the start of sniffing.