Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tonylin1
Staff
Staff

Created on ‎11-08-2023 11:50 PM Edited on ‎11-11-2023 06:31 AM By Moderator

Article Id 283610

Troubleshooting Tip: How to split traffic by interface when packet sniffer using 'any' interface when there is no SNAT/DNAT

Description

This article describes how to split traffic by interface when the packet sniffer is using the 'any' interface when there no SNAT/DNAT in effect.

In order to test for packet loss in FortiGate, 'any' is specified as the interface to perform packet sniffing with.
Scope

FortiGate.
Solution

Topology:

 

55.55.55.107 <----> (port29) FGT (port25) <----> 33.33.33.106

Traffic => ICMP from 55.55.55.107 to 33.33.33.106

 

Packet sniffer:

 

diagnose sniffer packet any 'host 33.33.33.106 and host 55.55.55.107' 6 0 l

 

2023-11-09 15:13:42.140243 port29 in 55.55.55.107 -> 33.33.33.106: icmp: echo request
0x0000 0000 0000 0001 000c 29ef e428 0800 4500 ........)..(..E.
0x0010 003c a450 0000 8001 e543 3737 376b 2121 .<.P.....C777k!!
0x0020 216a 0800 4d4f 0001 000c 6162 6364 6566 !j..MO....abcdef
0x0030 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 ghijklmnopqrstuv
0x0040 7761 6263 6465 6667 6869 wabcdefghi

2023-11-09 15:13:42.140265 port25 out 55.55.55.107 -> 33.33.33.106: icmp: echo request
0x0000 0000 0000 0000 906c acc4 1cfe 0800 4500 .......l......E.
0x0010 003c a450 0000 7f01 e643 3737 376b 2121 .<.P.....C777k!!
0x0020 216a 0800 4d4f 0001 000c 6162 6364 6566 !j..MO....abcdef
0x0030 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 ghijklmnopqrstuv
0x0040 7761 6263 6465 6667 6869 wabcdefghi

2023-11-09 15:13:42.140705 port25 in 33.33.33.106 -> 55.55.55.107: icmp: echo reply
0x0000 0000 0000 0001 000c 29f6 cd06 0800 4500 ........).....E.
0x0010 003c af80 0000 8001 da13 2121 216a 3737 .<........!!!j77
0x0020 376b 0000 554f 0001 000c 6162 6364 6566 7k..UO....abcdef
0x0030 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 ghijklmnopqrstuv
0x0040 7761 6263 6465 6667 6869 wabcdefghi

2023-11-09 15:13:42.140717 port29 out 33.33.33.106 -> 55.55.55.107: icmp: echo reply
0x0000 0000 0000 0000 906c acc4 1d02 0800 4500 .......l......E.
0x0010 003c af80 0000 7f01 db13 2121 216a 3737 .<........!!!j77
0x0020 376b 0000 554f 0001 000c 6162 6364 6566 7k..UO....abcdef
0x0030 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 ghijklmnopqrstuv
0x0040 7761 6263 6465 6667 6869 wabcdefghi

 

It is often important to check FortiGate forwards all of the intended packets.

However, the packet will show as a duplicate in Wireshark, and it will not be possible to analyze the TCP sequence.

 

The following method makes it possible to use Wireshark filter to split the traffic only on port 25 or port 29.

To analyze the packet, the MAC address is shown below:

 

55.55.55.107 : 000c 29ef e428

port25 : 906c acc4 1cfe

33.33.33.106 : 000c 29f6 cd06

port29 : 906c acc4 1d02

 

Note: 

 

DST MAC address == 0000 0000 0001 <- Inbound traffic of the interface.
DST MAC address == 0000 0000 0000 <- Outbound traffic of the interface.

 

These are the Wireshark filters to filter the traffic by interface.

 

To filter traffic only for port29:

 

=> mac address of 55.55.55.107 and port29

eth.src== 00:0c:29:ef:e4:28 || eth.src== 90:6c:ac:c4:1d:02

 

To filter traffic only for port25:

 

=> mac address of 33.33.33.106 and port25

eth.src== 90:6c:ac:c4:1c:fe || eth.src== 00:0c:29:f6:cd:06

 

282
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.