Convert Fortigates "diagnose sniffer" output to pcap files
Some FortiGate Models like the FG100E don't have a disk, so you can't use the WebUIs "Packet Capture" menu to create pcap files. The workaround is to use the CLI and create a verbose output and convert this with a Perl script. The Perl stuff didn't work for me so I created this tool. A compiled small binary converts session logs to pcap files that can be opened with wireshark.
It depends on your ssh client how logs are created.
Linux tee
saves you step 3 and redirects the openssh output directly to the tool. I assume your fgsniffer binary lies in your current path. 10.10.10.1 is of course a placeholder for your firewall.
~ $ ssh 10.10.10.1 | tee >(./fgsniffer)
screen
has a log command with the shortcut Ctrl-a H
. The console output is saved into a file screenlog.X. Press Ctrl-a H
again to stop logging.
In the settings look for Session/Logging. Check "Printable Output" and click "Browse" to save the putty.log to somewhere you find it. Now connect to your firewall.
Click in the menu "Options" the item "Session Options...". You find the "Log File" under "Teminal". Now connect to your firewall.
On the firewall run the sniffer command with some special parameters.
diagnose sniffer packet <interface> '<filter>' <3|6> <count> a
The options meanings are
<interface>
The interface name or 'any'<filter>
A tcpdump compatible input filter<3|6>
The verbosity level. '6' adds the interface name. See below.<count>
Stop after the amount of packets or '0'a
Output the absolute UTC time
fw01 # diagnose sniffer packet any 'icmp' 6 10 a
interfaces=[any]
filters=[icmp]
2017-09-12 12:41:38.676846 inside in 10.134.190.2 -> 10.134.190.30: icmp: echo request
0x0000 0000 0000 0001 0023 e93e 7a38 0800 4500 .......#.>z8..E.
0x0010 0028 0000 4000 ff01 eaa7 0a86 be02 0a86 .(..@...........
[cut]
Go to the folder where you saved your session log. I assume fgsniffer lies here too.
fgsniffer putty.log
created output file fgsniffer.pcap
You find one or more pcap files in your current path.
It is a good idea to always add "a" to the sniffer options to have a proper time for your pcaps. Users who had forgotten this option where confused, why this tool isn't working for them. In the current version fgsniffer will accept relative times. The time shown in the pcap will be the current local time plus the deltas.
If you limit your filter to one interface level '3' is fine. But if you need to follow a packet through the box you can use level '6' and the interface 'any'. fgsniffer will create a file for every interface so you don't loose this information. I recommend using '6' all of the time.
The tool is one statically linked binary. Installing is as simple as download, unzip and run.
If you haven't used GO before, please read https://golang.org/doc/install and set up the required GOPATH and GOBIN environment.
go get github.com/DirkDuesentrieb/fgsniffer
go install $GOPATH/src/github.com/DirkDuesentrieb/fgsniffer/main.go
go get github.com/DirkDuesentrieb/fgsniffer
go install $Env:GOPATH\src\github.com\DirkDuesentrieb\fgsniffer\main.go
If your GOBIN is part of your global PATH you can run fgsniffer from anywhere in your filesystem.
In some FortiOS versions captures on a VPN interface can not be parsed. The reason is a missing Ethernet-header. fgsniffer
now has an option -fixvpn to create a dummy header.
fgsniffer still works with the latest firmware versions (currently 6.4), but the newer firmware versions have the feature to create pcaps directly via the GUI. That makes simple network debugging much easier.
Using fgsniffer is still necessary if you want to
- use an advanced capture filter (eg with
and
ornot
) - capture more than 10000 packets
- capture on all interfaces