Last active
February 17, 2024 13:46
-
-
Save githubfoam/db0e4711f76f93dbdd89ef179d1337bf to your computer and use it in GitHub Desktop.
fortigate sniff packet cheat sheet
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#===================================================================== | |
diagnose sniffer packet vs diag debug flow filter | |
# diagnose sniffer packet checks if the packet reaches fortigate | |
# diag debug flow filter checks packet's traffic within fortigate internally | |
diagnose debug flow #trace per-packet operations for flow tracing | |
diagnose sniffer packet #trace per-Ethernet frame | |
#===================================================================== | |
#WEB GUI v7.2.3 | |
Network > Diagnostics > Packet Capture | |
Network > Diagnostics > Packet Capture - Advanced - Filter | |
"src host 192.168.10.1 and dst host 10.10.4.41 and port (80 or 443 or 8080)" | |
#===================================================================== | |
#If you encounter a different protocol number, you can refer to the IANA Protocol Numbers registry | |
Assigned Internet Protocol Numbers | |
https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml | |
1 ICMP Internet Control Message Protocol, used for network diagnostics and error messages. | |
6 TCP Transmission Control Protocol, used for reliable data transfer with connection establishment and teardown. | |
17 UDP User Datagram Protocol, used for connectionless data transfer without guaranteed delivery. | |
41 IPv6 (Internet Protocol version 6) | |
47 GRE Generic Routing Encapsulation, used for tunneling other protocols. | |
50 ESP Encapsulating Security Payload, used for secure communication in IPsec tunnels. | |
58 ICMPv6 (Internet Control Message Protocol version 6) | |
80 HTTP Hypertext Transfer Protocol, used for web browsing and accessing web servers. | |
443 HTTPS Secure HTTP, encrypted version of HTTP used for secure web communication. | |
53 DNS Domain Name System, used for resolving hostnames to IP addresses. | |
22 SSH Secure Shell, used for secure remote access to a server. | |
25 SMTP Simple Mail Transfer Protocol, used for sending email. | |
#===================================================================== | |
# Convert Fortigate Traffic Capture to Wireshark Capture | |
Fgt2eth.exe –in <LOG_FILE_NAME> -out <FILENAME.pcap> | |
#===================================================================== | |
# diagnose sniffer packet <interface> '<filter>' <level> <count> <tsformat> | |
# diagnose sniffer packet any | |
# diagnose sniffer packet any '' 4 | |
# diagnose sniffer packet any ‘none’ 4 10 a' | |
# diagnose sniffer packet any 'icmp' 1 | |
# diagnose sniffer packet any ‘ udp and port 53 ‘ 4 3 a | |
# diagnose sniffer packet any ‘src host 8.8.8.8 and dst host 10.10.4.41 ‘ 4 3 a | |
# diagnose sniffer packet any 'src host 192.168.10.1 and dst host 192.168.10.254' 4 | |
# diagnose sniffer packet any ‘src host 10.10.4.41 and tcp and port 443 ‘ 4 3 a | |
# diagnose sniffer packet any 'host 192.168.10.1 and tcp port 80' 6 | |
# diagnose sniffer packet any ‘host 10.10.4.41 and icmp ‘ 4 6 a | |
diagnose sniffer packet any 'icmp' 5 | |
#information are included in the sniffer output | |
Interface name | |
IP header | |
Packet payload | |
v7.2.3 | |
# diagnose sniffer packet any "src host 192.168.10.1 and dst host 10.10.4.41 and port (80 or 443 or 8080)" 6 0 l | |
Match TTL = 1 | |
# diagnose sniffer packet port2 "ip[8:1] = 0x01" | |
Match Source IP address = 192.168.1.2 | |
# diagnose sniffer packet internal "(ether[26:4]=0xc0a80102)" | |
Match Source MAC = 00:09:0f:89:10:ea | |
# diagnose sniffer packet internal "(ether[6:4]=0x00090f89) and (ether[10:2]=0x10ea)" | |
Match Destination MAC = 00:09:0f:89:10:ea | |
# diagnose sniffer packet internal "(ether[0:4]=0x00090f89) and (ether[4:2]=0x10ea)" | |
Match ARP packets only | |
# diagnose sniffer packet internal "ether proto 0x0806" | |
Match packets with RST flag set: | |
# diagnose sniffer packet internal "tcp[13] & 4 != 0" | |
Match packets with SYN flag set: | |
# diagnose sniffer packet internal "tcp[13] & 2 != 0" | |
Match packets with SYN-ACK flag set: | |
# diagnose sniffer packet internal "tcp[13] = 18" | |
#Normally the verbose 4 is being used but this is not convertable to PCAP | |
diagnose sniffer packet any 'host 172.16.33.67 and host 186.76.159.194' 4 0 | |
#the output can be CONVERTED to a PCAP | |
diagnose sniffer packet any 'host 172.16.33.67 and host 186.76.159.194' 6 0 | |
diagnose sniffer packet any "host 10.200.1.10 and host 10.200.2.10" 4 | |
diagnose sniffer packet any "host 10.200.2.11 and icmp" 4 | |
diag sniff packet any ‘host 8.8.8.8 and icmp’ 6 0 | |
#===================================================================== | |
diagnose sniffer packet any ‘proto 89’ 4 #Trace / Sniff for OSPF packets | |
diagnose sniffer packet any "(host <PC1> and host <PC2>) and icmp" 4 | |
diagnose sniffer packet any "host <PC1> and host <PC2>" 4 | |
#===================================================================== | |
Here's how to determine the Ethernet header in the output of the diagnose sniffer packet any "icmp" 5 command: | |
1. Locate the Hexadecimal Values at the Beginning: | |
The Ethernet header is typically the first 14 bytes (0x0000 to 0x000E) in the output. | |
It's composed of hexadecimal values that represent various fields. | |
2. Identify MAC Addresses: | |
Look for pairs of hex values that resemble MAC addresses, such as 88d0 5643 or 90d0 5643. | |
MAC addresses are 6 bytes long and are essential for physical addressing on Ethernet networks. | |
3. Check for EtherType: | |
The EtherType field (2 bytes) follows the MAC addresses and indicates the type of data encapsulated in the frame. | |
Common examples: | |
0x0800 for IPv4 | |
0x0806 for ARP | |
0x86DD for IPv6 | |
Example from the Output: | |
4500 0054 8707 4000 4001 9888 0a00 010a // IP header starts here | |
0808 0808 0800 88d0 5643 0001 6e00 d062 | |
Ethernet header: 0808 0808 0800 88d0 5643 0001 6e00 | |
Destination MAC: 0808 0808 0800 | |
Source MAC: 88d0 5643 0001 | |
EtherType: 6e00 (likely a proprietary protocol) | |
4. Consider the Number of Bytes Captured: | |
The diagnose sniffer packet any "icmp" 5 command only captures the first 54 bytes of each packet. | |
This typically includes the Ethernet header, but not the full payload. | |
5. Look for Patterns: | |
Ethernet headers have a consistent structure, so familiarizing yourself with the typical layout can help you identify them quickly. | |
Additional Tips: | |
Use Filters or Options: If available, use filters or options to capture the full header or specific fields. | |
Consult Documentation: Refer to the documentation for the specific sniffer tool for more details on its output format and header presentation. | |
#==================================================================== | |
An administrator is running a sniffer command as shown below. | |
Local-FortiGate # diagnose sniffer packet any "icmp" 5 | |
Using Original Sniffing Mode | |
interfaces=[any] | |
filters=[icmp] | |
10.207548 port3 in 10.0.1.10 -> 8.8.8.8: icmp: echo request | |
0x0000 4500 0054 8707 4000 4001 9888 0a00 010a E .. T .. @. @. | |
0x0010 0808 0808 0800 88d0 5643 0001 6e00 d062 .. vc .. n .. b | |
0x0020 0000 0000 11b5 0a00 0000 0000 1011 1213 ............... | |
0x0030 1415 1617 1819 lalb 1cld 1elf 2021 2223 ............!"# | |
0x0040 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+, -. /0123 | |
0x0050 3435 3637 4567 | |
Here are the first 14 bytes in the output, representing the Ethernet header: | |
0x0000 0808 0808 0800 88d0 5643 0001 6e00 | |
Breakdown: | |
Destination MAC Address (6 bytes): 0808 0808 0800 | |
Source MAC Address (6 bytes): 88d0 5643 0001 | |
EtherType (2 bytes): 6e00 (proprietary protocol) | |
Explanation: | |
The Ethernet header is typically the first part of a packet captured on an Ethernet network. | |
It contains essential information for physical addressing and frame delivery. | |
In this output, the first 14 bytes directly correspond to the Ethernet header fields. | |
The remaining bytes captured in this output belong to higher-level protocols, such as IP and ICMP | |
The first 14 bytes (0x0000 to 0x000E) of the provided output represent the Ethernet header. Here's the breakdown: | |
plaintext | |
Copy code | |
0x0000 4500 0054 8707 4000 4001 9888 0a00 010a | |
4500: IPv4 protocol identifier | |
0054: Total packet length (84 bytes) | |
8707: Identification field for reassembling fragmented packets | |
4000: Flags (Don't Fragment and More Fragments flags, not set in this case) | |
4001: Time to Live (TTL) | |
9888: Source IP address (10.0.1.10) | |
0a00: Destination IP address (8.8.8.8) | |
These values constitute the Ethernet header, providing information such as packet length, identification, TTL, source and destination IP addresses, among other details. | |
#==================================================================== | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment