mini鵝的天地

【Fortinet】FortiOS Sniffer

cli指令

diagnose sniffer packet <interface|any> '<tcpdump-filter>' <verbose> <count> <time-format>

參數
<interface>    
Network interface to sniff (or "any").

<verbose>    
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name

<count>    
Sniffer count.

<tsformat>    Format of timestamp.
a: absolute UTC time, yyyy-mm-dd hh:mm:ss.ms
l: absolute LOCAL time, yyyy-mm-dd hh:mm:ss.ms
otherwise: relative to the start of sniffing, ss.ms

範例
LAB-FG100D # config vdom 
LAB-FG100D (vdom) # edit lab
LAB-FG100D (lab) # diagnose sniffer packet any 'host 8.8.8.8 and dst port 53'
interfaces=[any]
filters=[host 8.8.8.8 and dst port 53]
20.160000 10.10.104.101.65276 -> 8.8.8.8.53: udp 31
20.160000 10.10.104.101.65475 -> 8.8.8.8.53: udp 31
20.160000 13.32.133.64.65475 -> 8.8.8.8.53: udp 31
20.160000 12.36.162.75.65276 -> 8.8.8.8.53: udp 31

LAB-FG100D (lab)# diagnose sniffer packet any 'dst port 53' 4 6 l
interfaces=[any]
filters=[dst port 53]
2017-08-24 14:07:45.340000 WLAN-lab in 10.10.104.121.54121 -> 168.95.192.1.53: udp 43
2017-08-24 14:07:45.340000 WLAN-lab in 10.10.104.121.57501 -> 168.95.192.1.53: udp 43
2017-08-24 14:07:45.340000 ppp1 out 17.14.14.7.54121 -> 168.95.192.1.53: udp 43
2017-08-24 14:07:45.340000 ppp1 out 17.14.14.7.57501 -> 168.95.192.1.53: udp 43
2017-08-24 14:07:45.370000 WLAN-lab in 10.10.104.121.57501 -> 168.95.1.1.53: udp 43
2017-08-24 14:07:45.370000 ppp1 out 17.34.161.98.57501 -> 168.95.1.1.53: udp 43

補充

execute packet-capture port1 "host 10.1.1.254"
diagose sniffer packet port2 "host 10.1.1.254"