Tag Archives: fortinet Packet Capture

Packet Capture

Packet Capture

When troubleshooting networks, it helps to look inside the header of the packets. This helps to determine if the packets, route, and destination are all what you expect. Packet capture can also be called a network tap, packet sniffing, or logic analyzing.

 

To use the packet capture.

1. Go to System > Network > Packet Capture.

2. Select Create New or select an existing entry if you’ve already made one that fits your needs.

3. Select the interface to monitor and select the number of packets to keep.

4. Select Enable Filters.

5. Enter the information you want to gather from the packet capture.

6. Select OK.

To run the capture, select the play button in the progress column in the packet capture list. If not active, Not Running will also appear in the column cell. The progress bar will indicate the status of the capture. You can stop and restart it at any time.

When the capture is complete, select the Download icon to save the packet capture file to your hard disk for further analysis.

Packet capture tells you what is happening on the network at a low level. This can be very useful for troubleshooting problems, such as:

  • finding missing traffic
  • seeing if sessions are setting up properly
  • locating ARP problems such as broadcast storm sources and causes
  • confirming which address a computer is using on the network if they have multiple addresses or are on multiple networks
  • confirming routing is working as you expect
  • wireless client connection problems
  • intermittent missing PING packets
  • a particular type of packet is having problems, such as UDP, which is commonly used for streaming video

If you are running a constant traffic application such as ping, packet capture can tell you if the traffic is reaching the destination, how the port enters and exits the FortiGate unit, if the ARP resolution is correct, and if the traffic is returning to the source as expected. You can also use packet switching to verify that NAT or other configuration is translating addresses or routing traffic the way that you want it to.

Before you start capturing packets, you need to have a good idea of what you are looking for. Capture is used to confirm or deny your ideas about what is happening on the network. If you try capture without a plan to narrow your search, you could end up with too much data to effectively analyze. On the other hand, you need to capture enough packets to really understand all of the patterns and behavior that you are looking for.