On FortiGate firewalls you got the command:
diag sniffer packet [interface] '[filter]' [verbose level] [count] [tsformat]
Details you find ⇒here.
If you just want to verify, if a packet passes the FortiGate, then simply use this command:
diag sniffer packet any '[filter]' 4
You can see the incoming and the outgoing interface of the packets and the direction.
If you want to analyse the content of the packets, it becomes quite difficult. You got all the information in hexadecimal. But it is much simpler to analyse the the output with Wireshark.
To get this working, you have to transform the output of diag sniffer packet to match the hexdump format..
The original diag sniffer packet looks like this:
2018-07-30 11:46:39.203676 802.1Q vlan#7 P0 0x0000 0100 0000 0000 02db e3b3 6515 8100 0007 ..........e..... 0x0010 0800 4500 003e 4743 0000 0211 8349 0a00 ..E..>GC.....I.. 0x0020 0328 e000 00fb cc86 14e9 002a c5b0 5e7e .(.........*..^~ 0x0030 0000 0001 0000 0000 0000 055f 7261 6f70 ..........._raop 0x0040 045f 7463 7005 6c6f 6361 6c00 000c 0001 ._tcp.local.....
That is the way it looks like in hexdump:
2018-07-30 11:46:39.203676 000000 01 00 00 00 00 00 02 db e3 b3 65 15 81 00 00 07 000010 08 00 45 00 00 3e 47 43 00 00 02 11 83 49 0a 00 000020 03 28 e0 00 00 fb cc 86 14 e9 00 2a c5 b0 5e 7e 000030 00 00 00 01 00 00 00 00 00 00 05 5f 72 61 6f 70 000040 04 5f 74 63 70 05 6c 6f 63 61 6c 00 00 0c 00 01
To reformat the output, we have create a perl script.
This script can be run under Linux or MacOS in one single command from the command line:
ssh -l <user> <firewall address> "diag sniffer packet any '' 3 0 l" | hexdump.pl - | text2pcap -t "%Y-%m-%d %H:%M:%S." - sniffer-out.pcap
SSH starts the sniffer on the firewall, writes the output to standard output. hexdump.pl reads it from standard input, formats it and passes it to text2pcap, the official Wireshark program to transform hexdump into pcap format.
The resulting file, which we call sniffer-out.pcap in this example, can be opened with Wireshark. Now you can use all Wireshark features to analyse your traffic.
hexdump.pl uses a file as input. Using – (dash) as input, hexdump.pl uses standard input to read the data.
Using it with VDOMs:
If you want to use this script with VDOMs, then you have to execute the command in the VDOM context. Create a file with the following content. In this example we call it sniff.txt:
config vdom edit root diag sniffer packet any 'not port 22' 3 0 l
Now execute the command:
ssh -l <user> <firewall address> < sniff.txt | hexdump.pl - | text2pcap -t "%Y-%m-%d %H:%M:%S." - - | wireshark -k -i -