Format FortiGate diag sniffer packet for Wireshark

On FortiGate firewalls you got the command:

diag sniffer packet [interface] '[filter]' [verbose level] [count] [tsformat]

Details you find ⇒here.

If you just want to verify, if a packet passes the FortiGate, then simply use this command:

diag sniffer packet any '[filter]' 4

You can see the incoming and the outgoing interface of the packets and the direction.

If you want to analyse the content of the packets, it becomes quite difficult. You got all the information in hexadecimal. But it is much simpler to analyse the the output with Wireshark.

To get this working, you have to transform the output of diag sniffer packet to match the hexdump format..

The original diag sniffer packet looks like this:

2018-07-30 11:46:39.203676 802.1Q vlan#7 P0
0x0000   0100 0000 0000 02db e3b3 6515 8100 0007        ..........e.....
0x0010   0800 4500 003e 4743 0000 0211 8349 0a00        ..E..>GC.....I..
0x0020   0328 e000 00fb cc86 14e9 002a c5b0 5e7e        .(.........*..^~
0x0030   0000 0001 0000 0000 0000 055f 7261 6f70        ..........._raop
0x0040   045f 7463 7005 6c6f 6361 6c00 000c 0001        ._tcp.local.....

That is the way it looks like in hexdump:

2018-07-30 11:46:39.203676
000000  01 00 00 00 00 00 02 db e3 b3 65 15 81 00 00 07
000010  08 00 45 00 00 3e 47 43 00 00 02 11 83 49 0a 00
000020  03 28 e0 00 00 fb cc 86 14 e9 00 2a c5 b0 5e 7e
000030  00 00 00 01 00 00 00 00 00 00 05 5f 72 61 6f 70
000040  04 5f 74 63 70 05 6c 6f 63 61 6c 00 00 0c 00 01

To reformat the output, we have create a perl script.

This script can be run under Linux or MacOS in one single command from the command line:

ssh -l <user> <firewall address> "diag sniffer packet any '' 3 0 l" | hexdump.pl - | text2pcap -t "%Y-%m-%d %H:%M:%S." - sniffer-out.pcap

SSH starts the sniffer on the firewall, writes the output to standard output. hexdump.pl reads it from standard input, formats it and passes it to text2pcap, the official Wireshark program to transform hexdump into pcap format.

The resulting file, which we call sniffer-out.pcap in this example, can be opened with Wireshark. Now you can use all Wireshark features to analyse your traffic.

hexdump.pl uses a file as input. Using – (dash) as input,  hexdump.pl uses standard input to read the data.

Using  it with VDOMs:

If you want to use this script with VDOMs, then you have to execute the command in the VDOM context. Create a file with the following content. In this example we call it sniff.txt:

config vdom
edit root
diag sniffer packet any 'not port 22' 3 0 l

Now execute the command:

ssh -l <user> <firewall address> < sniff.txt | hexdump.pl - | text2pcap -t "%Y-%m-%d %H:%M:%S." - - | wireshark -k -i -

 

hexdump
hexdump