Here's how I go about to capture packets in a Fortigate Firewall which does not have a disk.
1. Use a good SSH Client that can log the session, such as putty. And setup the log session to file feature.
This will than allow me to get the capture output as a text file and run through the utility that converts it to a pcap file.
This will than allow me to get the capture output as a text file and run through the utility that converts it to a pcap file.
2. Setup the sniffer on Fortigate:
diagnose sniffer packet <interface_name> <‘filter’> <verbose> <count> <tsformat>
For example:
diagnose sniffer packet any "host <src_host_ip> and host <dst_host_ip>" 6
(verbose=6 gives interface names to the output, we'll get as much info as we need, thus the maximum level of verboseness)
3. Cleanup the text file and run it through the conversion utility.
Fortinet utility (there's linux perl and windows exe version here)
Usage:
fgt2eth.exe -in <file captured>.txt -out <output name>.cap
Alternatives which I haven't test yet:
fgsniffer (announcement post on fortinet forums)
4. Open the converted pcap file in Wireshark.
5. Get a dark coffee and dive deep into the capture! :)
