How to import sniffer packets data to WireShark on FortiGate ?

Packet capture is one of the best practices for troubleshoot while you are having connection issues on your network. You can use Wireshark application for network traffic analyze.

However low level FortiGate firewalls haven’t got a local disk. Therefore these models don’t support packet capture on their guis. But you can use ‘diagnose sniffer packet’ commands for packet capture on cli. You can see below a diagnose command and its output.

#diagnose sniffer packet <interface> ‘<filter>’ 6  (I will write detailed posts for diagnose commands)

Outputs:

2017-10-21 12:47:50.909247 <interface> in sourceip -> destinationip: ip-proto-50 84

0x0000 0000 0000 0001 0004 9698 b573 0800 4500 ………..s..E.
0x0010 0068 95f2 0000 f932 51e8 5f00 5ff6 5f00 .h…..2Q._._._.
0x0020 bb92 2abc a304 0000 5d44 ccd6 e465 a49a ..*…..]D…e..
0x0030 00ef 2b3a b25a 7bb7 26cb e8a1 3410 ce45 ..+:.Z{.&…4..E
0x0040 071c 8189 d13c 8194 e592 934e 615d ab64 …..<…..Na].d
0x0050 3490 2011 0df3 babd fb07 b3e6 ece3 8312 4……………
0x0060 aff9 9606 34fa 41df 6948 8ce6 b4dd d44d ….4.A.iH…..M
0x0070 e2f8 0f52 e5ad …R..

2017-10-21 12:47:50.909253 <interface> in sourceip -> destinationip: ip-proto-50 84

0x0000 0000 0000 0000 0004 9698 b573 0800 4500 ………..s..E.
0x0010 0068 95f2 0000 f932 51e8 5f00 5ff6 5f00 .h…..2Q._._._.
0x0020 bb92 2abc a304 0000 5d44 ccd6 e465 a49a ..*…..]D…e..
0x0030 00ef 2b3a b25a 7bb7 26cb e8a1 3410 ce45 ..+:.Z{.&…4..E
0x0040 071c 8189 d13c 8194 e592 934e 615d ab64 …..<…..Na].d
0x0050 3490 2011 0df3 babd fb07 b3e6 ece3 8312 4……………
0x0060 aff9 9606 34fa 41df 6948 8ce6 b4dd d44d ….4.A.iH…..M
0x0070 e2f8 0f52 e5ad …R..

But this outputs can not be analyzed. Therefore you may need to import these outputs to Wireshark.

– Before import, you have to log these outputs a text file. You can use Putty or SecureCRT or any remote ssh connection program that you uses.

– After log the outputs, you should download fgt2eth.exe software. This software developed by Fortinet to help  convert the text file to pcap file. You can download it from here.

– After download the fgt2eth.exe, create new folder on your desktop, and move fgt2eth.exe and log file to new folder.

– Now, while you are in the new folder, write cmd on address bar and press enter. As soon as you press enter, cmd (command prompt) will open.

– After open the cmd, run this command on cmd. As you understand from command, it will convert your text file to pcap file that you can open via wireshark.

# fgt2eth.exe -in fglog.txt -out fglog.pcap

– After run the command, you will see the pcap file in folder. Now you can open the pcap file via wireshark. That’s it !

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.