Scribd
Upload
186 views

Troubleshooting Tip - Using The FortiGate Sniffer On VLAN Interfaces

This document describes how to use the sniffer tool on a FortiGate device to capture traffic on VLAN interfaces. It provides examples of commands to sniff all traffic on a physical interface including tagged VLAN traffic, and to sniff only traffic on a specific VLAN interface. It also explains how to interpret the output and see tagging information.

Uploaded by

Alexis Marcano Prada
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
186 views

Troubleshooting Tip - Using The FortiGate Sniffer On VLAN Interfaces

This document describes how to use the sniffer tool on a FortiGate device to capture traffic on VLAN interfaces. It provides examples of commands to sniff all traffic on a physical interface including tagged VLAN traffic, and to sniff only traffic on a specific VLAN interface. It also explains how to interpret the output and see tagging information.

Uploaded by

Alexis Marcano Prada
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

http://kb.fortinet.com/kb/viewContent.do?

externalId=FD31323&sliceId=1

Troubleshooting Tip: Using the FortiGate sniffer on VLAN interfaces

Products

FortiGate v4.0 MR2


FortiGate v4.0 MR3
FortiGate v5.0

Description

This article describes how to use the FortiGate sniffer on VLAN interfaces.

The following example is based on a FortiGate with 2 VLANs attached to the interface wan1, as well as an IP address on the
physical interface itself.

config system interface


edit "wan1"
set ip 10.140.0.106 255.255.254.0
set type physical
next
edit "VLAN18"
set ip 192.168.182.106 255.255.254.0
set interface "wan1"
set vlanid 18
next
edit "VLAN224"
set ip 172.31.224.106 255.255.254.0
set interface "wan1"
set vlanid 224
next
end

Solution

1. Looking for the tagging information in the sniffer capture

In order to see the tagging information in the sniffer trace, there must be no packet filter in the sniffer command.

Example of a command without packet filter

FGT # diagnose sniffer packet wan1 ""

Example of a command with a packet filter

FGT # diagnose sniffer packet wan1 "icmp or arp"

1.1 Capturing all tagged and non-tagged packets on wan1, low verbosity

FGT # diagnose sniffer packet wan1 ""

0.180038 arp who-has 10.140.0.234 tell 10.140.0.106


0.553565 802.1Q vlan#18 P0
1.553430 802.1Q vlan#18 P0
2.180040 arp who-has 10.140.0.234 tell 10.140.0.106
2.553224 802.1Q vlan#18 P0
3.180030 arp who-has 10.140.0.234 tell 10.140.0.106
3.553216 802.1Q vlan#18 P0
4.180028 arp who-has 10.140.0.234 tell 10.140.0.106
4.553062 802.1Q vlan#18 P0
4.553127 802.1Q vlan#224 P0

1 of 2 8/20/2018, 9:30 AM
http://kb.fortinet.com/kb/viewContent.do?externalId=FD31323&sliceId=1

Reading the trace:

The arp packets are sent on the physical interface level on the configured subnet (10.140.0.x), and untagged (no 802.1Q
mentioned).
Some tagged frames are received or sent on the VLAN interfaces VLAN18 and VLAN224, these are the lines with the
802.1Q information.

1.2 Capturing all tagged and non-tagged packets on wan1 , high verbosity (full packet content)

In order to see the full content of all packets on wan1 (tagged and non-tagged), the following command can be used :

FGT # diagnose sniffer packet wan1 "" 3

1.028118 802.1Q vlan#18 P0


0x0000 0009 0f09 3204 0009 0f30 29e4 8100 0012 ....2....0).....
0x0010 0800 4500 003c 6c5d 0000 ff01 6bcb c0a8 ..E..<l]....k...
0x0020 b66a c0a8 abdc 0000 b257 0600 9d04 6162 .j.......W....ab
0x0030 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 cdefghijklmnopqr
0x0040 7374 7576 7761 6263 6465 6667 6869 stuvwabcdefghi

2.180036 arp who-has 10.140.0.234 tell 10.140.0.106


0x0000 ffff ffff ffff 0009 0f30 29e4 0806 0001 .........0).....
0x0010 0800 0604 0001 0009 0f30 29e4 0a8c 006a .........0)....j
0x0020 0000 0000 0000 0a8c 00ea ..........

3.028048 802.1Q vlan#224 P0


0x0000 0019 b9f8 e7e9 0009 0f30 29e4 8100 00e0 .........0).....
0x0010 0800 4500 003c 6c60 0000 ff01 5651 ac1f ..E..<l`....VQ..
0x0020 e06a c0a8 abdc 0000 b057 0600 9f04 6162 .j.......W....ab
0x0030 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 cdefghijklmnopqr
0x0040 7374 7576 7761 6263 6465 6667 6869 stuvwabcdefghi

Reading the trace:

The arp packets are still sent on the physical interface level on the configured subnet (10.140.0.x), and untagged (no
802.1Q mentioned). Ethertype is 0x0806.
The tagged frames are now showing the 802.1Q field : 8100 0012 or 8100 00e0, where 0012 and 00e0 are the VLAN
numbers in HEX (18 and 224).

2. Capturing traffic on a specific VLAN interface

To capture the traffic on a specific VLAN interface, use the same sniffer command as for physical interfaces, knowing that the
VLAN tag information is not displayed whether or not using a packet filter.

FGT # diagnose sniffer packet VLAN18 "" 3

0.963022 192.168.171.220 -> 192.168.182.106: icmp: echo request


0x0000 0009 0f30 29e4 0009 0f09 3204 0800 4500 ...0).....2...E.
0x0010 003c 992c 0000 7e01 bffc c0a8 abdc c0a8 .<.,..~.........
0x0020 b66a 0800 4554 0600 0208 6162 6364 6566 .j..ET....abcdef
0x0030 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 ghijklmnopqrstuv
0x0040 7761 6263 6465 6667 6869 wabcdefghi

Related Articles

Troubleshooting Tool : Using the FortiOS built-in packet sniffer


Technical Note : How to create a VLAN tagged interface (802.1q) on a FortiGate - tagged/untagged traffic

Last Modified Date: 08-26-2013 Document ID: FD31323

2 of 2 8/20/2018, 9:30 AM

You might also like