Description
The FortiGate built-in packet sniffer uses libpcap libraries files that are the same as "TCPdump" in a Linux platform and it uses the default buffer value of 2 MB.
When performing full packet capture via CLI with the following command, and where traffic volume is high this will cause a packet filter buffer overflow. This will result in the output of the packet capture not being accurate.
The above message “packets dropped by kernel” does not reflect to actual packet being dropped.
When performing full packet capture via CLI with the following command, and where traffic volume is high this will cause a packet filter buffer overflow. This will result in the output of the packet capture not being accurate.
# diagnose sniffer packet any ‘port 443’ 6 0 l using verbose “6” to perform full packet captureAfter pressing “CTRL”+”C” to end the packet capture via CLI, the following output will be seen indicating the packet capture buffer overflow:
Solution
Workaround
For firmware versions 5.0 and 5.2, use GUI Packet Capture located under System > Network > Packet Capture to limit the number of packets being captured. This could minimize the packets dropped by the filter.
For firmware version 4.3, use the option located under System > Config > Advanced.
Reduce the verbose level on the packet capture as this can minimize the packets dropped but is dependant on the information that is required to be captured.
# diag sniffer packet <'filter'> a
Verbose levels in detail:
1: print header of packets
2: print header and data from IP of packets
3: print header and data from Ethernet of packets
4: print header of packets with interface name
5: print header and data from IP of packets with interface name
6: print header and data from Ethernet of packets with interface name
For firmware versions 5.0 and 5.2, use GUI Packet Capture located under System > Network > Packet Capture to limit the number of packets being captured. This could minimize the packets dropped by the filter.
For firmware version 4.3, use the option located under System > Config > Advanced.
Reduce the verbose level on the packet capture as this can minimize the packets dropped but is dependant on the information that is required to be captured.
# diag sniffer packet <'filter'> a
Verbose levels in detail:
1: print header of packets
2: print header and data from IP of packets
3: print header and data from Ethernet of packets
4: print header of packets with interface name
5: print header and data from IP of packets with interface name
6: print header and data from Ethernet of packets with interface name
Related Articles
Troubleshooting Tool: Using the FortiOS built-in packet sniffer
