FortiOS packet sniffer builder

Build a FortiGate diagnose sniffer packet command from parts, or paste one to have every argument explained: interface, filter, verbosity 1-6, count, and timestamp format.

Networking

Runs locally in your browser. Nothing you enter or paste leaves this page.

Command
diagnose sniffer packet any none 4 0 l
Notes
  • On the 'any' interface (and on VLAN interfaces), the VLAN tag is stripped from the output at verbose 3/6. To capture the VLAN tag, run the sniffer on the underlying physical interface and match on the tag, e.g. "ether[14:2]=0x00db" for VLAN 219.
  • If expected packets never appear, the session may be hardware-offloaded (NP/SoC). The kernel sniffer cannot see offloaded sessions; temporarily set 'set auto-asic-offload disable' in the matching firewall policy while troubleshooting.
  • An unlimited, unfiltered capture over SSH can flood your own session with the very traffic your SSH connection generates. Add a filter (or exclude 'not port 22') and/or a packet count.
Argument breakdown
interfaceany

Capture on all interfaces. Note that on 'any' the link layer is Linux cooked capture (SLL), not Ethernet, so the real Ethernet header and any VLAN tag are not shown.

filternone

No filter: every packet on the interface is captured. Because it is unfiltered, expect a lot of output; add host/port/proto to narrow it.

verbose4

Verbosity 4: print header of packets with interface name. Interface names are shown (verbose 4-6).

count0

Packet count 0 means capture until you stop it with Ctrl+C. Set a number to auto-stop after that many packets.

timestampl

absolute local timestamp: yyyy-mm-dd hh:mm:ss.ms in the FortiGate's local time. Also safe for parallel captures.

API endpointGEThttps://ronutz.com/api/v1/fortios-sniffer-builderDocumented, not served. Opens the specification.

References