Use the Packet Sniffer (diagnose sniffer)¶
FortiGate has a built-in packet capture. Run it from CLI to see what's actually crossing the box — invaluable for debugging "is the packet even arriving?" scenarios.
Basic Syntax¶
diagnose sniffer packet <interface> <filter> <verbosity> <count> <timestamp>
- interface —
any,wan1,internal,vlan10, etc. - filter — BPF-style filter (or
nonefor everything). - verbosity:
1— header only.2— header + IP info.3— header + IP info + payload (hex).4— full info, including ETH headers.5— same as 4, more detail.6— packet count summary.
- count — how many packets to capture (or omit for unlimited).
- timestamp —
afor absolute time,lfor local time.
Common One-Liners¶
Capture a specific host¶
diagnose sniffer packet any "host 10.0.0.50" 4
Capture between two hosts¶
diagnose sniffer packet any "host 10.0.0.50 and host 8.8.8.8" 4
Capture HTTP/HTTPS only¶
diagnose sniffer packet wan1 "tcp port 80 or tcp port 443" 4
Capture DNS¶
diagnose sniffer packet any "udp port 53" 4
Capture ICMP¶
diagnose sniffer packet any "icmp" 4
Capture on specific port + show first 100 packets¶
diagnose sniffer packet any "tcp port 443" 4 100
Save Capture to PCAP for Wireshark¶
You can't directly write to disk on FortiGate. Workaround: run the sniffer over SSH and pipe to file on your laptop:
# On your laptop:
ssh admin@<fortigate> "diagnose sniffer packet wan1 'host 10.0.0.50' 6 200" \
> capture.txt
# Convert the FortiGate hex format to pcap with a converter:
# https://github.com/aol/moloch/blob/master/contrib/fortigate-to-pcap.pl
# Or use any FortiGate-to-PCAP script (search GitHub).
Or use the GUI: Network → Packet Capture — captures, lets you download as .pcap directly.
Reading Sniffer Output¶
3.421654 wan1 in 10.0.0.50.55432 -> 8.8.8.8.443: syn 1234567890
3.421702 wan1 out 8.8.8.8.443 -> 10.0.0.50.55432: ack ...
wan1 in= packet ingress on wan1.wan1 out= packet egress on wan1.syn/ack/pshetc. = TCP flags.
If you see wan1 in but no wan1 out (no response from remote), that's a one-sided conversation.
If packet arrives but doesn't pass through (no return on different interface) — FortiGate is filtering. Use Debug Flow to find which policy.