Fortigate Packet Sniffer
Packet capture, also known as sniffing, records some or all of the packets seen by a network interface. By recording packets, you can trace connection states to the exact point at which they fail, which may help you to diagnose some types of problems that are otherwise difficult to detect.
Fortigate Packet sniffer
FortiManager units have a built-in sniffer. Packet capture on FortiManager units is similar to that of FortiGate units. Packet capture is displayed on the CLI, which you may be able to save to a file for later analysis, depending on your CLI client.
Packet capture can be very resource intensive. To minimize the performance impact on your FortiManager unit, use packet capture only during periods of minimal traffic, with a serial console CLI connection rather than a Telnet or SSH CLI connection, and be sure to stop the command when you are finished.
Enter either none to capture all packets, or type a filter that specifies which protocols and port numbers that you do or do not want to capture, such as 'tcp port 25'. Surround the filter string in quotes.
If you are familiar with the TCP protocol, you may notice that the packets are from the middle of a TCP connection. Because port 22 is used (highlighted above in bold), which is the standard port number for SSH, the packets might be from an SSH session.
The following example captures packets traffic on TCP port 80 (typically HTTP) between two hosts, 192.168.0.1 and 192.168.0.2. The capture uses a low level of verbosity (indicated by 1). Because the filter does not specify either host as the source or destination in the IPv4 header (src or dst), the sniffer captures both forward and reply traffic.
A specific number of packets to capture is not specified. As a result, the packet capture continues until the administrator presses the control key + C. The sniffer then confirms that five packets were seen by that network interface.
Instead of reading packet capture output directly in your CLI display, you usually should save the output to a plain text file using your CLI client. Saving the output provides several advantages. Packets can arrive more rapidly than you may be able to read them in the buffer of your CLI display, and many protocols transfer data using encoding other than US-ASCII. It is usually preferable to analyze the output by loading it into in a network protocol analyzer application such as Wireshark ( ).
You can convert the plain text file to a format (.pcap) recognizable by Wireshark using the fgt2eth.pl Perl script. To download fgt2eth.pl, see the Fortinet Knowledge Base article Using the FortiOS built-in packet sniffer.
As a result, DPI provides a more effective mechanism for executing network packet filtering. In addition to the inspection capabilities of regular packet-sniffing technologies, DPI can find otherwise hidden threats within the data stream, such as attempts at data exfiltration, violations of content policies, malware, and more.
DPI examines the contents of data packets using specific rules preprogrammed by the user, an administrator, or an internet service provider (ISP). Then, it decides how to handle the threats it discovers. Not only can DPI identify the existence of threats but, using the contents of the packet and its header, it can also figure out where it came from. In this way, DPI can pinpoint the application or service that launched the threat.
Conventional packet filtering is only able to read what is inside the header information that comes with each packet of data. This is a basic, less sophisticated approach necessitated by early technological limits. Because firewalls were not capable of processing a lot of data quickly, they only focused on the header information because anything more would require more work and time, inordinately sacrificing network performance.
There are a variety of different ways of using a deep packet sniffer. DPI can provide intrusion detection systems (IDS) alone or work as both an intrusion prevention system (IPS) and IDS. It also enables users to spot specific kinds of attacks that a regular firewall may not be able to detect.
It is also possible to decide which packets are the most business-critical and make sure they are given priority over other, less crucial packets, such as regular browsing packets. Further, if the organization is trying to overcome the burden of peer-to-peer downloading, DPI can be used to identify this specific type of transmission and throttle the data.
In addition, DPI can give administrators visibility over the entire network, analyzing activity using heuristics to identify anything abnormal. Heuristics involves the examination of data packets in an effort to spot anything out of the ordinary that may signal a potential threat.
DPI can also be used to inspect outbound traffic as it attempts to exit the network. Businesses therefore can set up filters designed to prevent data exfiltration. You can also use DPI to figure out where your data is going. With UniFi deep packet inspection, for example, data regarding where data was sent is kept in the gateway for you to examine until you delete it manually.
With pattern or signature matching, the contents of a data packet are analyzed and compared against a database of previously identified threats. If the system is constantly updated with threat intelligence, this can be a very effective defense against attacks. However, if the attack is new, the system may miss it.
DPI can also be used to enhance security. Hackers may use certain websites or applications to launch their attacks. With DPI, you can completely block all data coming from certain sites or applications, thereby shielding your network from their associated threats. You can also benefit from seeing not just where a data packet is coming from but also what is inside its payload. DPI can identify dangerous data packets that may slip by regular firewalls.
The Fortinet NGFW, FortiGate, uses DPI to analyze data attempting to enter your network, exit it, or move across it. FortiGate is armed with anti-malware algorithms that look inside the contents of a data packet, see malware, and automatically dispense of the packet.
The Fortinet device may not display all packets if too much information is requested to be displayed, or the traffic being sniffed is significant. When this occurs, the unit will log the following message once the trace is terminated:12151 packets received by filter3264 packets dropped by kernelWhen this occurs, it is possible that what you were attempting to capture was not actually captured. In order to avoid this, you may try to tighten the display filters, reduce the verbose level, or perform the trace during a lower traffic period.
The packet timestamps as displayed by the sniffer, may become skewed or delayed under high load conditions. This may occur, even if no packets were dropped (as mentioned above). Therefore, it is not recommended that you rely on these values in order to troubleshoot or measure performance issues, that would require absolute precise timing. 350c69d7ab