Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
harshithbn
Staff
Staff

Created on ‎09-11-2017 03:57 AM Edited on ‎03-14-2024 10:40 PM By Community Manager

Article Id 194305

Technical Note: How to collect sniffer captures in each port in FortiSwitch

Description

 

This article describes how to collect sniffer captures on each port of a FortiSwitch.


Scope

 
FortiSwitch v7.x or later.


Solution

 

By default, the diag sniffer on internal will only show traffic going to the internal port.

To get the sniffer information on each port the following configuration is required:

 

  1. A device should already be connected to the particular port where the sniffer information is required.\
  2.  sflow should be enabled on the same port along with sample-rate set to 1.
 
Packets should now be seen in both directions by using the command
 
"diagnose sniffer packet sp15"

where 15 is the port number.

To configure:
 
S448DP3X16xxxxxx # config switch interface
S448DP3X16xxxxxx (interface) # edit port15
S448DP3X16xxxxxx (port15) # set packet-sampler enabled
S448DP3X16xxxxxx (port15) # Set packet-sample rate 1
S448DP3X16xxxxxx (port15) # next
S448DP3X16xxxxxx (interface) # end
S448DP3X16xxxxxx #

To verify:
 
S448DP3X16xxxxxx # diagnose sniffer packet sp15

interfaces=[sp15]
filters=[none]
pcap_lookupnet: sp15: no IPv4 address assigned
1.800889 802.1Q vlan#1 P0 -- 0.0.0.0.68 -> 255.255.255.255.67: udp 548
1.809597 802.1Q vlan#1 P0 -- 0.0.0.0.68 -> 255.255.255.255.67: udp 548
1.817482 802.1Q vlan#1 P0 -- 0.0.0.0.68 -> 255.255.255.255.67: udp 548
1.832318 802.1Q vlan#1 P0 -- arp who-has 10.33.183.69 (ff:ff:ff:ff:ff:ff) tell 10.33.183.69
1.885622 802.1Q vlan#1 P0 -- arp who-has 10.33.183.69 (ff:ff:ff:ff:ff:ff) tell 10.33.183.69
1.933504 802.1Q vlan#1 P0 -- arp who-has 10.33.183.69 (ff:ff:ff:ff:ff:ff) tell 10.33.183.69
1.986039 802.1Q vlan#1 P0 -- arp who-has 10.33.183.69 (ff:ff:ff:ff:ff:ff) tell 10.33.183.69
2.038536 802.1Q vlan#1 P0 -- arp who-has 10.33.183.69 (ff:ff:ff:ff:ff:ff) tell 10.33.183.69
2.092202 802.1Q vlan#1 P0 -- arp reply 10.33.183.69 is-at 0:c:e6:a:be:2e
2.095384 802.1Q vlan#1 P0 -- arp who-has 10.33.183.65 tell 10.33.183.69
2.103995 802.1Q vlan#1 P0 -- 10.33.183.69.2048 -> 10.32.8.9.53: udp 33
2.389462 802.1Q vlan#1 P0 -- 10.33.183.69.2048 -> 10.32.8.9.53: udp 50
2.391457 802.1Q vlan#1 P0 -- Ether type 0x4003 printer havn't been added to sniffer.
^C
14 packets received by filter
0 packets dropped by kernel
9167
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.