Troubleshooting Page 137 FortiRecorder 2.4.2 Administration Guide
Packet capture
Packet capture, also known as sniffing, packet trace, or packet analysis, records some or all of
the packets seen by a network interface (that is, the network interface is used in promiscuous
mode). By recording packets, you can trace TCP connection states and HTTP request
transactions to the exact point at which they fail, which may help you to diagnose some types of
problems that are otherwise difficult to detect, such as malformed packets, differentiated
services misconfiguration, or non-RFC protocol incompatibilities.
FortiRecorder appliances have a built-in sniffer. Packet capture on FortiRecorder appliances is
similar to that of FortiGate appliances. To use the built-in sniffer, connect to the CLI and enter
the following command:
diagnose sniffer packet [{any | <interface_name>}
[{none | '<filter_str>'}
[{1 |
2 |
3 |
4 |
5 |
6}
[<packets_int>
[{a | <any_str>}]]]]]
where:
• <interface_name> is either the name of a network interface, such as port1, or enter any
for all interfaces. If you omit this and the following parameters for the command, the
command captures all packets on all network interfaces.
• '<filter_str>' is the sniffer filter that specifies which protocols and port numbers that
you do or do not want to capture, such as 'tcp port 80', or enter none for no filters.
Filters use tcpdump syntax.
• <packets_int> is the number of packets the sniffer reads before stopping. Packet
capture output is printed to your CLI display until you stop it by pressing Ctrl+C, or until it
reaches the number of packets that you have specified to capture.
• {a | <any_str>} is either a (to include an absolute, full UTC timestamp in the format
yyyy-mm-dd hh:mm:ss.ms), or any other text (to include a timestamp that is the amount of
time since he start of the packet capture, in the format ss.ms)
• {1 | 2 | 3 | 4 | 5 | 6} is an integer indicating whether to display the network
interface names, packet headers, and/or payloads for each packet that the network interface
sends, receives, or sees:
• 1 — Display the packet capture timestamp, plus basic fields of the IP header: the source
IP address, the destination IP address, protocol name, and destination port number.
Does not display all fields of the IP header; it omits:
• IP version number bits
• Internet header length (ihl)
• type of service/differentiated services code point (tos)
• explicit congestion notification
• total packet or fragment length
• packet ID
• IP header checksum
• time to live (TTL)
• IP flag
Packet capture can be very resource intensive. To minimize the performance impact on your
FortiRecorder appliance, use packet capture only during periods of minimal traffic, with a local
console CLI connection rather than a Telnet or SSH CLI connection, and be sure to stop the
command when you are finished.
To Next Page
Loading...