in packet sniffer

来源 https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=11186&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=56212880&stateId=1%200%2056214119

Introduction

All FortiGate units have a powerful packet sniffer on board. If you know tcpdump you should feel comfortable using the FortiGate Sniffer.

See the related article "Packet capture (sniffer) tips" for additional sniffer tips.

Scope : All FortiOS
Note :   Other Fortinet appliances also providing a CLI sniffer : FortiAnalyzer - FortiMail - FortiManager

DMZ

|

|

+-----------+

----internal----| FortiGate |---external-----

+-----------+

Sniffer Basics

The packet sniffer "sits" in the FortiGate and can sniff traffic on a specific Interface or on all Interfaces. There are 3 different Level of Information, also known as Verbose Levels 1 to 3, where verbose 1 shows less information and verbose 3 shows the most information. Verbose 4, 5 and 6 would additionally provide the interface details

Verbose levels in detail:

1: print header of packets
2: print header and data from IP of packets
3: print header and data from Ethernet of packets
4: print header of packets with interface name
5: print header and data from IP of packets with interface name
6: print header and data from Ethernet of packets with interface name

This article walks through some examples and different levels of verbosity to show the different possibilities for debugging.

Basic sniffing command

All Packet sniffing commands start like:

# diag sniffer packet <interface> <'filter'> <verbose> <count> a

Where...

<interface> can be an Interface name or "any" for all Interfaces.
<'filter'> is a very powerful filter functionality which will be described in more detail.<verbose> means the level of verbosity as described already.
<count> the number of packets the sniffer reads before stopping.
a introduced in release 3.0 MR6, this setting allows display of absolute time stamp

Example 1: Simple Trace

Sniff 3 packets of all traffic with verbose Level 4 on internal Interface

# diag sniffer packet internal none 4 3
internal in 192.168.0.1.22 -> 192.168.0.30.1144: psh 2859918764 ack 1949135261
internal in 192.168.0.1.22 -> 192.168.0.30.1144: psh 2859918816 ack 1949135261
internal out 192.168.0.30.1144 -> 192.168.0.1.22: ack 2859918884

As you can see we caught some Packets in the middle of a communication. Because the 192.168.0.1 IP Address uses Port 22 (192.168.0.1.22) we can assume that we've caught some Packets from a running SSH Session. The "none" variable means 'no filter applies', "4" means 'verbose 4' and "3" means 'catch 3 packets and stop'.

Example 2: Simple Trace

Sniff 3 packets of all traffic with verbose Level 4 on Internal interface

# diag sniffer packet internal none 4 3
internal out 192.168.0.30.1156 -> 192.168.0.1.80: syn 2164883624
internal in 192.168.0.1.80 -> 192.168.0.30.1156: syn 3792179542 ack 2164883625
internal out 192.168.0.30.1156 -> 192.168.0.1.80: ack 3792179543

Apparently we caught some more interesting information, just when a TCP session was being set up. 192.168.0.30 tries to connect to 192.168.0.1 on Port 80 with a syn and gets a syn ack back. Finally the session is acknowledged and established after the 3-way TCP handshake.

With information level set to Verbose 4, we see a summary of Source and Destination IP Address, as well as Source and Destination Port. We can also see the corresponding TCP Sequence numbers.

If you don't enter a <count> value, the Sniffer runs forever until you stop it with <CTRL C>

Hint: For further investigation it's always a good idea to log to a file. If you're using Putty (a free SSH client for Windows) you can easily log all Output to a file which you can search/sort/process.

Verbose 5 and Verbose 6 levels:

Verbose 5 contains much more information

1. The IP Header as we've already seen in Verbose 4
2. The Payload of the IP packet itself

An Output of Verbose 5 looks like this:

# diag sniffer packet internal none 5 1
internal in 192.168.0.1.22 -> 192.168.0.30.1144: psh 2867817048 ack 1951061933

0x0000 4510 005c 8eb1 4000 4006 2a6b c0a8 0001 E..\..@.@.*k....
0x0010 c0a8 001e 0016 0478 aaef 6a58 744a d7ad .......x..jXtJ..
0x0020 5018 0b5c 8ab9 0000 9819 880b f465 62a8 P..\.........eb.
0x0030 3eaf 3804 3fee 2555 8deb 24da dd0d c684 >.8.?.%U..$.....
0x0040 08a9 7907 202d 5898 a85c facb 8c0a f9e5 ..y..-X..\......
0x0050 bd9c b649 5318 7fc5 c415 5a59 ...IS.....ZY

Notice the in/ out parameter after internal interface that will confirm the direction of the packet entering or leaving the interface.

Verbose 6, finally, even includes Ethernet (Ether Frame) Information. A script is available (fgt2eth.pl), which will convert a captured verbose 6 output, into a file that can be read and decoded by Ethereal/Wireshark. See the end of this article for details.

Use of absolute time stamp in sniffer trace will report the absolute system time (no time zone) in packet summary:

# diag sniffer packet internal none 4 2 a

2010-06-02 10:23:17.170751 port1 out arp who-has 192.168.1.110 tell 192.168.1.103
2010-06-02 10:23:19.077409 port1 in arp who-has 192.168.1.120 tell 192.168.1.2

Hint: Below is the format that Technical Support will usually request when attempting to analyze a problem as it includes full packet content, as well as absolute time stamp, in order to correlate packets with other system events.

# diag sniffer packet any <'filter'> 6 0 a

Filter Functionality

As already mentioned: diag sniffer includes a powerful filter functionality that will be described here.

FortiOS tells us:

<filter> filter for sniffer
Syntax: '[[src|dst] host<IP1>] [[src|dst] host<IP2>] [[arp|ip|gre|esp|udp|tcp] [port_no]] [[arp|ip|gre|esp|udp|tcp] [port_no]]'

If a second host is specified, only the traffic between the 2 hosts will be displayed.

<filter> flexible logical filters for sniffer (or "none").
For example: To print udp 1812 traffic between forti1 and either forti2 or forti3
'udp and port 1812 and host forti1 and (forti2 or forti3)'

Imagine you only want to sniff the traffic from one PC to another PC. Without Filter the sniffer will display all packets which is far too much and painful to debug.

Example 3: Trace with Filters

To see what's going on between two PCs (or a PC and a FortiGate),(Don't forget to put your filter expressions in single quotes ' ' ):

# diag sniffer packet internal 'src host 192.168.0.130 and dst host 192.168.0.1' 1

192.168.0.130.3426 -> 192.168.0.1.80: syn 1325244087
192.168.0.130.3426 -> 192.168.0.1.80: ack 3483111190
192.168.0.130.3426 -> 192.168.0.1.80: psh 1325244088 ack 3483111190
192.168.0.130.1035 -> 192.168.0.1.53: udp 26
192.168.0.130.1035 -> 192.168.0.1.53: udp 42
192.168.0.130.1035 -> 192.168.0.1.53: udp 42
192.168.0.130 -> 192.168.0.1: icmp: echo request
192.168.0.130.3426 -> 192.168.0.1.80: psh 1325244686 ack 3483111190
192.168.0.130 -> 192.168.0.1: icmp: echo request

Assuming there is a lot of traffic on the wire, this filter command will only display traffic (but all traffic) from Source 192.168.0.130 to Destination 192.168.0.1. It will NOT show traffic to 192.168.0.130 (for example the ICMP reply) because we said ' src host 192.168.0.130 and dst host 192.168.0.1'

As you can see we also captured some other things like ICMP or DNS queries from a PC. If we're just interested in a specific type of traffic (let's say TCP Traffic only) we need to change our filter command slightly like this:

# diag sniffer packet internal 'src host 192.168.0.130 and dst host 192.168.0.1 and tcp' 1

192.168.0.130.3569 -> 192.168.0.1.23: syn 1802541497
192.168.0.1.23 -> 192.168.0.130.3569: syn 4238146022 ack 1802541498
192.168.0.130.3569 -> 192.168.0.1.23: ack 4238146023

Though ICMP (ping) was also running, the trace only shows the TCP part. As we can see the Destination is: 192.168.0.1.23 which is IP 192.168.0.1 on Port 23. Apparently we found a Telnet Session to 192.168.0.1 right during initial setup.

The same the other way around:

# diag sniffer packet internal 'host 192.168.0.130 and icmp' 1

192.168.0.130 -> 192.168.0.1: icmp: echo request
192.168.0.1 -> 192.168.0.130: icmp: echo reply

In this example we're sniffing for ICMP only, to and from 192.168.0.130

Another useful feature is logical combination. Let us assume you want to sniff for ICMP and TCP only (but not for UDP, ARP, etc). You can combine protocols in the following manner:

# diag sniffer packet internal 'host 192.168.0.130 and (icmp or tcp)' 1

This sniff will display all tcp or icmp traffic to and from host 192.168.0.30, in verbose 1 level.

Now we are going to limit the sniffer even more:

We want to sniff traffic between 2 hosts, but only TCP and only port 80.

# diag sniffer packet internal 'host 192.168.0.130 and 192.168.0.1 and tcp port 80' 1

192.168.0.130.3625 -> 192.168.0.1.80: syn 2057246590
192.168.0.1.80 -> 192.168.0.130.3625: syn 3291168205 ack 2057246591
192.168.0.130.3625 -> 192.168.0.1.80: ack 3291168206
192.168.0.130.3625 -> 192.168.0.1.80: psh 2057246591 ack 3291168206
192.168.0.1.80 -> 192.168.0.130.3625: ack 2057247265

A logical "and" is used in this command between 192.168.0.130 and 192.168.0.1 so that only packets containing both these host addresses will be seen.

Even if telnet and ssh is running between the two hosts, we only see port 80 TCP traffic.

Filtered can be used to display packets based on their content, using hexadecimal byte position.

Match TTL = 1
# diagnose sniffer packet port2 "ip[8:1] = 0x01"

Match Source IP address = 192.168.1.2:
# diagnose sniffer packet internal "(ether[26:4]=0xc0a80102)"

Match Source MAC = 00:09:0f:89:10:ea
# diagnose sniffer packet internal "(ether[6:4]=0x00090f89) and (ether[10:2]=0x10ea)"

Match Destination MAC = 00:09:0f:89:10:ea
# diagnose sniffer packet internal "(ether[0:4]=0x00090f89) and (ether[4:2]=0x10ea)"

Match ARP packets only
# diagnose sniffer packet internal "ether proto 0x0806"

TCP or UDP flags can be addressed using the following:

Match packets with RST flag set:
# diagnose sniffer packet internal "tcp[13] & 4 != 0"

Match packets with SYN flag set:
# diagnose sniffer packet internal "tcp[13] & 2 != 0"

Match packets with SYN-ACK flag set:
# diagnose sniffer packet internal "tcp[13] = 18"

Also attached is the fgt2eth.pl script that will convert a verbose level 3 or 6 sniffer output, into a file readable and decodable by Ethereal/Wireshark.

The fgt2eth.exe file is also attached to this article, this file is outdated and is not supported but may provide some guidance.


Note:
 The attached script is provided "as is", it is not supported by Technical Support.
$ ./fgt2eth.pl
Version : Dec 19 2014
Usage : fgt2eth.pl -in <input_file_name>

Mandatory argument are :
-in  <input_file>     Specify the file to convert (FGT verbose 3 text file)

Optional arguments are :
-help                 Display help only
-version              Display script version and date
-out <output_file>    Specify the output file (Ethereal readable)
By default <input_file>.pcap is used
- will start wireshark for realtime follow-up
-lines <lines>        Only convert the first <lines> lines
-demux            Create one pcap file per interface (verbose 6 only)
-debug                Turns on debug mode

Related Articles
Troubleshooting Tip: Packet capture (CLI sniffer) best practice
Troubleshooting Tip : First steps to troubleshoot connectivity problems to or through a FortiGate with sniffer, debug flow, session list, routing table
Troubleshooting Tip: Using the FortiGate sniffer on VLAN interfaces
Technical Note : How To Troubleshoot Wireless Station Connection Issues on the FortiAP
Technical Note: Packet capture buffer limit 
Attachments
explanation_on_how_to_packet_capture_for_only_certain_TCP_flags_v2.txt
fgt2eth.exe
fgt2eth.pl

======================= End

in packet sniffer相关推荐

  1. 关于fi dd ler 手机抓包 网卡地址地址_实测对比Wireshark利用nRF52832抓包和Packet Sniffer抓包体验...

    在蓝牙的开发过程中,使用抓包器对蓝牙模块收发数据进行抓包BLE分析,无疑会极大地提高我们的研发开发效率,同时能帮我们快速地定位问题.对于初学者或者开发者来说,BLE抓包分析能让我们更快地理解蓝牙的工作 ...

  2. SmartRF Packet Sniffer使用手册

    1.介绍 1.1协议 启动PacketSniffer时,可支持的协议就显示在启动窗口下.表1列出可支持协以下的软件连接和捕捉设备的概况. 1.2硬件平台 packet sniffer可以用在多种硬件平 ...

  3. cc2540 Packet Sniffer使用

    cc2540抓包使用packet sniffer: Protocol : Bluetooth low energy version:   Bluetooth  core spec 4.0 captur ...

  4. 通过给CC2540刷固件的方式使用抓包软件smartRF packet sniffer

    如果手头没有USB dongle仍想用SmartRF packet sniffer,可以参考如下方法: 硬件需求:CC2540开发板.CCDebuger 软件需求:SmartRF Flash Prog ...

  5. 关于fi dd ler 手机抓包 网卡地址地址_实测对比Wireshark利用nRF52832抓包和Packet Sniffer抓包使用体验...

    在蓝牙的开发过程中,使用抓包器对蓝牙模块收发数据进行抓包BLE分析,无疑会极大地提高我们的研发开发效率,同时能帮我们快速地定位问题.对于初学者或者开发者来说,BLE抓包分析能让我们更快地理解蓝牙的工作 ...

  6. Zigbee-cc2530 笔记---Packet Sniffer 安装与使用

    SmartRF Packet Sniffer 是 TI一款用于侦听而捕获的射频数据包的软件,支持多种射频协议,可对数据包进行过滤和解码,以简洁的方法显示出来: (1)双击"课程软件\Setu ...

  7. Packet Sniffer设置过滤MAC地址

    一.综述 在蓝牙开发过程中,为了验证广播设备数据的正确性,需要抓包分析数据帧.但是周围有很多蓝牙广播设备的时候抓取我们需要的设备数据包不是很方便,需要过滤掉无用的Mac地址,方便调试.本节介绍如何使用 ...

  8. Unit 1: Packet Sniffing 1.1 Packet Sniffing Introduction to Packet Sniffing

    >> Some people like to sniff glue. 有些人喜欢闻胶水. Some people like to sniff paint. 有些人喜欢闻油漆. Some p ...

  9. practical packet analysis, using wireshark to solve real-world problems, 2nd edition 知识总结

    学校一般用自顶向下方法做计网教材,我觉得这本书也是可以做计网教材的. 文章目录 第一部分:基础知识 第二部分:嗅探器位置 第三部分:wireshark介绍 第四部分:常见底层协议 第五部分:常见上层协 ...

  10. Wireshark实验 - 入门

    # Wireshark实验 - 入门 **官方英文文档:[Wireshark_Intro_v6.0.pdf](Wireshark_Intro_v6.0.pdf)** **以下内容为笔者翻译:** ** ...

最新文章

  1. (拆点+最小路径覆盖) bzoj 2150
  2. 【AWS 安全系列】Amazon S3 配置错误(下)
  3. 修改Mysql的root密码方法归纳
  4. 推荐ReactNative脚手架工具
  5. grep v grep_使用grep4j轻松测试分布式组件上的SLA
  6. Android之Activity框架
  7. vfp操作excel排序_中招计算机信息技术考试训练|Excel操作题一|排序和筛选
  8. fetchxml 汇总_Dynamic CRM 2013学习笔记(十七)JS读写各种类型字段方法及技巧
  9. JDBC学习笔记(全)
  10. 在PS里怎样使图层居中对齐?
  11. 开源操作系统 FreeDOS 二十五年演进史:因微软抛弃 MS-DOS 而来!
  12. 7 -- Spring的基本用法 -- 6... Spring 3.0 提供的Java配置管理
  13. PAT甲级1016 (map,排序)
  14. tftp服务器的配置文件,tftp 服务器 系统配置文件
  15. mongodb 分片集群安装,以及环境准备
  16. 【经验分享】U盘软刷映泰TB250-BTC刷魔改BIOS上6789代CPU,另解决开机转一下后停止问题
  17. ensp中输入interface GigabitEthernet0/0/0提示Wrong parameter found at ‘^‘ position
  18. 怎样在线生成ICO 图标?图片怎么转ICO图标?
  19. word中如何单独修改某一页页眉
  20. x3650服务器引导盘制作,IBM X System ServerGuide 8.41 服务器 系统安装 引导盘图文教程...

热门文章

  1. JDK中提供的类(常用API)
  2. R包制作(千字详细图文)
  3. 必备的海外贸易沟通工具 - intbell使用教程
  4. 美赛论文Latex模板说明
  5. OpenGL超级宝典笔记——纹理映射Mipmap
  6. Oracle9iClient简化版的安装与tnsnames配置,sqlplus的连接
  7. 模拟人生 4:如何在游戏中生成收藏品
  8. 免费画图软件推荐 - draw.io
  9. 32位oracle10,『三思笔记』-- Solaris10下安装32位Oracle10g -- Solaris 10下安装ORACLE10G
  10. jQuery源码高清视频教程