Description
The FortiGate built-in packet sniffer uses libpcap libraries files that are the same as "TCPdump" in a Linux platform and it uses the default buffer value of 2 MB.
When performing full packet capture via CLI with the following command, and where traffic volume is high this will cause a packet filter buffer overflow. This will result in the output of the packet capture not being accurate.
# diagnose sniffer packet any ‘port 443’ 6 0 l using verbose “6” to perform full packet capture
After pressing “CTRL”+”C” to end the packet capture via CLI, the following output will be seen indicating the packet capture buffer overflow:
The above message “packets dropped by kernel” does not reflect to actual packet being dropped.
Solution
Workaround
For firmware versions 5.0 and 5.2, use GUI Packet Capture located under System > Network > Packet Capture to limit the number of packets being captured. This could minimize the packets dropped by the filter.
For firmware version 4.3, use the option located under System > Config > Advanced.
Reduce the verbose level on the packet capture as this can minimize the packets dropped but is dependant on the information that is required to be captured.
# diag sniffer packet <'filter'> a
Verbose levels in detail:
1: print header of packets
2: print header and data from IP of packets
3: print header and data from Ethernet of packets
4: print header of packets with interface name
5: print header and data from IP of packets with interface name
6: print header and data from Ethernet of packets with interface name
Related Articles
Troubleshooting Tool: Using the FortiOS built-in packet sniffer
How to create a packet capture using the built-in GUI tool