Description
This article describes the built-in sniffer tool that can be used to find out the traffic traversing through different interfaces.
Solution
The following command is used to trace packets.
diagnose sniffer packet <interface> '<filter>' <level> <count> <tsformat>
<interface> <----- Can be 'any' or particular interface such as wan1, port1, etc.
'<filter>' <----- Can be 'host 8.8.8.8', 'port 80', 'host 8.8.8.8 or port 80', 'host 8.8.8.8 and port 80', etc.
<count> <----- The number of packets to capture. If 0 or no value is defined, unlimited packets will be capture until ctrl+c is used to stop.
<tsformat> <----- 'a' for absolute UTC time, otherwise relative to the start of sniffing.
<tsformat> <----- 'a' for absolute UTC time, otherwise relative to the start of sniffing.
Consider two hosts connected to two different FortiGates.
[10.200.1.10/24] Host 1
[10.200.1.1/24 port2] FortiGate 1 [10.200.3.1/24 port1]
[10.200.2.10/24] Host 2
[10.200.2.1/24 port2] FortiGate 2 [10.200.3.10/24 port1]This example shows a ping test from host 1 to host 2. Consider two scenarios:
(i) Host reachable
(ii) Host unreachable
Case 1: Host Reachable.
Initially a ping from host1 (10.200.1.10/24) to host2 (10.200.2.10/24) is performed. The ICMP echo request is received on port1 of FortiGate 2. The request is forwarded to port2. An ICMP reply is received from host 2 which is then forwarded to port 1.
Since port 1 receives the ICMP echo request, the reply will be sent out via the same port1.
The output of the sniffer command has been taken on FortiGate 2.
diagnose sniffer packet any "host 10.200.1.10 and host 10.200.2.10" 4
interfaces=[any]
filters=[host 10.200.1.10 and host 10.200.2.10]
2.429703 port1 in 10.200.1.10 -> 10.200.2.10: icmp: echo request <----- Port 1 receives the request from FortiGate 1.
2.429798 port2 out 10.200.1.10 -> 10.200.2.10: icmp: echo request <----- Port 2 sends out the request to host 2.
2.430238 port2 in 10.200.2.10 -> 10.200.1.10: icmp: echo reply <----- Port 2 receives the reply from host 2.
2.430277 port1 out 10.200.2.10 -> 10.200.1.10: icmp: echo reply <----- Port 1 replies back to FortiGate 1.
Case 2: Host Unreachable.
interfaces=[any]
filters=[host 10.200.1.10 and host 10.200.2.10]
2.429703 port1 in 10.200.1.10 -> 10.200.2.10: icmp: echo request <----- Port 1 receives the request from FortiGate 1.
2.429798 port2 out 10.200.1.10 -> 10.200.2.10: icmp: echo request <----- Port 2 sends out the request to host 2.
2.430238 port2 in 10.200.2.10 -> 10.200.1.10: icmp: echo reply <----- Port 2 receives the reply from host 2.
2.430277 port1 out 10.200.2.10 -> 10.200.1.10: icmp: echo reply <----- Port 1 replies back to FortiGate 1.
Case 2: Host Unreachable.
Now a ping from host 1 is sent to a host 10.200.2.11 which is unreachable, port 1 on FortiGate 2 receives the ICMP echo request and forwards the request to port 2 but doesn't receive any response. Port 1 replies back to host 1 about host 10.200.2.11 being unreachable.
diagnose sniffer packet any "host 10.200.2.11 and icmp" 4
interfaces=[any]
filters=[host 10.200.2.11]
2.835286 port1 in 10.200.1.10 -> 10.200.2.11: icmp: echo request <----- Port 1 receives the request from FortiGate 1.
2.835400 port2 out arp who-has 10.200.2.11 tell 10.200.2.1 <----- ARP request is sent by 10.200.2.1 as it wants to send data but does not know the MAC address of 10.200.2.11 to send it.
No port2 in packet received as host is unreachable.
8.142688 port1 out 10.201.2.10 -> 10.200.1.10: icmp: host 10.200.2.11 unreachable <----- Port1 replies back to FortiGate 1 that host 10.200.2.11 is unreachable.
