Help
FortiSandbox
FortiSandbox provides a solution to protect against advanced threats and ransomware for companies who don’t want to implement and maintain a sandbox environment on their own.
mibekwe
Staff
Staff

Created on ‎05-05-2017 01:26 AM

Article Id 192790

Technical Note: How to use packet sniffer on the FortiSandbox

Description
This article describes the steps for packet capture on the FortiSandbox.

Solution
FortiSandbox supports the standard “tcpdump” command.
> tcpdump -ni port1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on port1, link-type EN10MB (Ethernet), capture size 262144 bytes 17:26:23.890308 IP 172.27.14.200.22 > 172.27.2.191.58012: Flags [P.], seq 662919284:662919480, ack
1552586983, win 356, options [nop,nop,TS val 277298891 ecr 1651858921], length 196
17:26:23.890555 IP 172.27.14.200.22 > 172.27.2.191.58012: Flags [P.], seq 196:424, ack 1, win 356,
options [nop,nop,TS val 277298891 ecr 1651858921], length 228
[...]
247 packets captured
247 packets received by filter
0 packets dropped by kernel

It also supports the same filters as a FortiGate.
> tcpdump -ni port1 port 443 and host 172.27.2.191
listening on port1, link-type EN10MB (Ethernet), capture size 262144 bytes 17:29:18.873079 IP 172.27.2.191.58039 > 172.27.14.200.443: Flags [SEW], seq 3581522529, win 65535,
options [mss 1358,nop,wscale 5,nop,nop,TS

To get the output compatible with the eth2pcap tool, additional parameters are needed.
> tcpdump -ni port1 -XXe -s0 –tt ...

An example for eth2pcap tool:
>  tcpdump -XXe -s0 -tt -ni port1 port 443 and host 172.27.2.191

2391
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.