# FortiOS packet sniffer builder

> Build a FortiGate diagnose sniffer packet command from parts, or paste one to have every argument explained: interface, filter, verbosity 1-6, count, and timestamp format.

- Tool: https://ronutz.com/en/tools/fortios-sniffer-builder
- Family: Networking

---

## What it does

Build a FortiGate `diagnose sniffer packet` command from its parts, or paste an existing command to have every argument explained, all without touching a device. The built-in FortiOS sniffer is the first tool most people reach for when a packet is not arriving where it should, and its command line packs five positional arguments into one line. This tool composes that line for you and reads it back argument by argument. It runs entirely in your browser and is grounded in Fortinet's own sniffer documentation and CLI reference.

## Building a command

Pick an interface (or `any` for all of them), optionally a host, a port, and a protocol, then a verbosity level, a packet count, and a timestamp format. The tool assembles the exact command:

```
diagnose sniffer packet <interface> <'filter'> <verbose> <count> <tsformat>
```

The filter you build is shown in single quotes, the way FortiOS expects a multi-word BPF-style expression, and a `host` plus a `proto` are joined with `and`. When no filter parts are set, the bare word `none` is used, which captures everything on the interface. Each argument is explained beside the command, and the common traps are flagged as you build.

## Decoding a command

Paste a command such as `diagnose sniffer packet any 'host 10.1.1.1 and tcp port 443' 4 0 l` and each of the five arguments is read back: the interface (and whether `any` means a Linux cooked capture that hides the real Ethernet header), the filter and what it matches, the verbosity level and exactly what it prints, the packet count, and the timestamp format. The abbreviated `diag sniff packet` form is accepted too, and a command with the trailing count or timestamp omitted still decodes, because those arguments are optional on the device.

## Verbosity, timestamps, and the traps

FortiOS verbosity runs 1 to 6. Levels 1 to 3 add progressively more of the packet (headers, then IP payload, then the full Ethernet frame); levels 4 to 6 do the same but additionally print the interface name each packet used, which is what you want with `any`. The full Ethernet-level output (verbose 3 or 6) can be converted to a `.pcap` for Wireshark with Fortinet's `fgt2eth.pl` script. The timestamp argument is `a` for absolute UTC, `l` for absolute local time, or omitted for a relative time since the sniff started; the tool warns that a relative timestamp cannot be correlated across parallel captures. It also flags the two classic reasons a sniff shows nothing: VLAN tags are stripped on `any` and VLAN interfaces at high verbosity, and hardware-offloaded (NP/SoC) sessions bypass the kernel sniffer entirely, so you may need `set auto-asic-offload disable` in the matching firewall policy while troubleshooting.

## Scope and grounding

This composes and explains command text; it never runs a sniffer, opens a socket, or fetches anything, and the same input always produces the same output. It models the command grammar and the documented verbosity and timestamp semantics; it does not capture or parse live packets. Every fact comes from Fortinet's FortiGate Administration Guide section on performing a sniffer trace, the FortiOS CLI reference for `diagnose sniffer packet`, and Fortinet's community troubleshooting guidance. Nothing you enter or paste leaves the page.

## Standards and references

- [Fortinet FortiGate Administration Guide: Performing a sniffer trace or packet capture (diagnose sniffer packet syntax; interface/filter/verbose/count/timestamp; 'any' interface; fgt2eth.pl for pcap)](https://docs.fortinet.com/document/fortigate/latest/administration-guide/680228/performing-a-sniffer-trace-cli-and-packet-capture)
- [Fortinet FortiOS CLI Reference: diagnose sniffer packet (verbosity levels 1-6 and what each prints; the a/l timestamp codes; packet count)](https://help.fortinet.com/fa/cli-olh/5-6-1/Document/1600_diagnose/sniffer.htm)
- [Fortinet Community: Using the FortiOS built-in packet sniffer for capturing packets (worked examples; filter expressions; VLAN-tag and 'any'/cooked-capture notes; auto-asic-offload caveat)](https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-the-FortiOS-built-in-packet-sniffer/ta-p/194222)

## Related reading

- [Reading a FortiGate Packet Sniffer Trace](https://ronutz.com/en/learn/reading-a-fortigate-sniffer-trace.md): The FortiGate diagnose sniffer packet command packs five positional arguments into one line: interface, filter, verbosity, count, and timestamp format. This explains what each argument does, what the six verbosity levels actually print, why a capture sometimes shows nothing (VLAN-tag stripping and hardware offload), and how to turn the output into a pcap for Wireshark.
