Fortigate packet capture to pcap file

In Fortinet Fortigate firewall appliance series we can use diagnose sniffer packet command to capture traffic in very similar way to tcpdump.

One of the things that are missing is the option to save or export the data into a file for future investigation; Fortinet has made a workaround for this issue by converting the console output into pcap file using small utility. 

In the following post I will explain how to capture, export and convert traffic from Fortigate FW to pcap file for Wireshark to process:

      1.       Login into the FGT appliance using terminal client (PuTTY or SecureCRT)

      

      2.       If the applicant configured with VDOMs enter the appropriate VDOM where you want to capture the traffic.

FGT# config vdom

FGT(vdom)#edit <VDOM_NAME>

      

      3.       Start logging the current session

3.1   In SecureCRT click File->Log Session, type a name and choose a place to save  the file:

3.2   In PuTTY, on the configuration screen, choose the following:

     4.       Back to the FGT appliance, run the command:

# diagnose sniffer packet <interface> <'filter'> <verbose> <count> a

For example:

# diagnose sniffer packet internal ‘host 192.168.10.1’ 4

Interface - any interface on the appliance or just use ‘any’ for all interfaces

Filter - much the same as with tcpdump/wireshark (see examples)

Verbose -verbose levels in detail:

1: print header of packets
2: print header and data from IP of packets
3: print header and data from Ethernet of packets
4: print header of packets with interface name
5: print header and data from IP of packets with interface name
6: print header and data from Ethernet of packets with interface name

Note that a pcap file need at least verbose level 3

Count – the number of packets to collect before stop capture. This is optional and the capture can be always stopped with CTRL+C

A – This option displays absolute time stamps

Examples:

# diagnose sniffer packet any 'src host 192.168.10.1 and dst host  

  192.168.10.254' 4

# diagnose sniffer packet any 'icmp' 1

# diagnose sniffer packet any 'host 192.168.10.1 and tcp port 80' 6

Match TTL = 1
# diagnose sniffer packet port2 "ip[8:1] = 0x01"

Match Source IP address = 192.168.1.2:
# diagnose sniffer packet internal "(ether[26:4]=0xc0a80102)"

Match Source MAC = 00:09:0f:89:10:ea
# diagnose sniffer packet internal "(ether[6:4]=0x00090f89) and (ether[10:2]=0x10ea)"

Match Destination MAC = 00:09:0f:89:10:ea
# diagnose sniffer packet internal "(ether[0:4]=0x00090f89) and (ether[4:2]=0x10ea)"

Match ARP packets only
# diagnose sniffer packet internal "ether proto 0x0806"

TCP or UDP flags can be addressed using the following:

Match packets with RST flag set:
# diagnose sniffer packet internal "tcp[13] & 4 != 0"

Match packets with SYN flag set:
# diagnose sniffer packet internal "tcp[13] & 2 != 0"

Match packets with SYN-ACK flag set:
# diagnose sniffer packet internal "tcp[13] = 18"

      5.       Stop the logging session (SecureCRT or PuTTY)

      6.       Go to Fortinet site at URL: http://kb.fortinet.com/kb/documentLink.do?externalID=11186&languageId=

And download fgt2eth.pl or fgt2eth.zip utility according to your OS.

      7.       Extract the file fgt2eth.zip 

      8.       Copy the text file, captured using the logging session, into the folder where fgt2eth.exe file  has extracted to.

      9.       Open CMD and go to the folder and run the following command:

Fgt2eth.exe –in <LOG_FILE_NAME> -out <FILENAME.pcap>

      10.   After finishing you will have the pcap file in the utility folder.