Hot!convert "diag sniffer" to pcap: new tool

Author
DirkDuesentrieb
New Member
  • Total Posts : 18
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/09/14 01:30:14
  • Status: offline
2017/09/14 06:45:18 (permalink)
0

convert "diag sniffer" to pcap: new tool

Hi,
 
I created a small program that helps firewall admins to create Wireshark comaptible pcap files on diskless Fortigate models. You can find the "fgsniffer" here on Github.
It works for me on Windows and Linux, now I need some testers!
Feedback is welcome.
Cheers,
 
Dirk
#1

9 Replies Related Threads

    oheigl
    Gold Member
    • Total Posts : 268
    • Scores: 16
    • Reward points: 0
    • Joined: 2010/02/18 04:27:05
    • Location: Austria
    • Status: offline
    Re: convert "diag sniffer" to pcap: new tool 2017/09/15 00:37:07 (permalink)
    5 (1)
    Hi Dirk,
    I just tried it with a trace I took yesterday, and it doesn't seem to work. There is only one packet (should be 259) and Wireshark tells me that the FCS is incorrect. No other packets are listed.
     
    I appreciate the work you put into this, but why don't you use the compiled version linked in this KB: http://kb.fortinet.com/kb/documentLink.do?externalID=FD30877
    Did it not work for you?
    Kind regards
    #2
    DirkDuesentrieb
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/09/14 01:30:14
    • Status: offline
    Re: convert "diag sniffer" to pcap: new tool 2017/09/15 01:44:29 (permalink)
    0
    I tried only the original perl and this created only empty output or errors depending on the perl version. The compiled version works (on Windows) and produces a valid pcap file. Still the times are not considering the time zone, they are off by two for me.
     
    Can you provide one ore two packets of your test capture, that didn't match? I think my regex doesn't match, because of some little difference. I'd like to fix that.
     
    Cheers,
     
    Dirk
    #3
    oheigl
    Gold Member
    • Total Posts : 268
    • Scores: 16
    • Reward points: 0
    • Joined: 2010/02/18 04:27:05
    • Location: Austria
    • Status: offline
    Re: convert "diag sniffer" to pcap: new tool 2017/09/15 03:33:16 (permalink)
    0
    Yeah I usually fix the time zone problem with Wireshark and Time Shift. I sent you a PM, hope the formatting is somewhat correct, otherwise just tell me 
    Greetings!
    #4
    DirkDuesentrieb
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/09/14 01:30:14
    • Status: offline
    Re: convert "diag sniffer" to pcap: new tool 2017/09/15 04:45:29 (permalink)
    0
    Got it, thanks. The interface direction "--" was new to me, it is "in" or "out" normally. I fixed another issue with interface names containing slashes or brackets and updated github. I would be happy if you can retest. 
    #5
    oheigl
    Gold Member
    • Total Posts : 268
    • Scores: 16
    • Reward points: 0
    • Joined: 2010/02/18 04:27:05
    • Location: Austria
    • Status: offline
    Re: convert "diag sniffer" to pcap: new tool 2017/09/15 05:13:28 (permalink)
    0
    Yeah if you define the interface in the sniffer there is no in and out in the output, only with device filter set to any.
    I tested it again and it now works fine, thanks!
    #6
    antoniocfc
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/07/24 13:17:56
    • Status: offline
    Re: convert "diag sniffer" to pcap: new tool 2018/07/27 07:41:00 (permalink)
    0
    The attached tool does not working. So, I made an alternative. It's a simple pythonic script working like a charm.
     
    Fortigate Dump converter to Wireshark Hexdump
    https://github.com/afsec/fgt2wireshark

    Requires python >= 2.7

    How to use

    Get some packets from Fortigate

    In this case we're getting 1000 packets

    printf "diagnose sniffer packet wan1 none 6 1000" | ssh USER@server.example.org | tee dump_firewall.txt

    If you are using vdom

    printf "config vdom\nedit root\ndiagnose sniffer packet wan1 none 6 1000" | ssh USER@server.example.org | tee dump_firewall.txt

    Converting packets from Fortigate Dump to Wireshark HexDump

    1. Open Wireshark
    2. Click File
    3. Click Import from Hex Dump...
    4. Click Browse
    5. Choose the file dump_firewall.txt and click Open
    6. Click Import
    #7
    bommi
    Gold Member
    • Total Posts : 159
    • Scores: 16
    • Reward points: 0
    • Joined: 2016/08/03 03:42:49
    • Location: Germany
    • Status: offline
    Re: convert "diag sniffer" to pcap: new tool 2018/07/27 12:41:05 (permalink)
    0
    Since FortiOS 6.0.2 you can use the gui packet capture on small fortigates again!
    The smaller fortigates will save the pcap inside an ram-disk, so no convert tools are needed.
    #8
    DirkDuesentrieb
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/09/14 01:30:14
    • Status: offline
    Re: convert "diag sniffer" to pcap: new tool 2018/08/24 04:22:59 (permalink)
    0
    Some users were confused by the need to have absolute timestamps in the sniffer output. I created a new version 1.4 that can handle both cases. And there is a compiled version for OSX users.
     
    It's good to hear it will be possible to do pcaps directly on diskless models in the future, but it will take a while until our boxes are running FortiOS 6
     
    #9
    CrazyCatMan
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Status: offline
    Re: convert "diag sniffer" to pcap: new tool 2021/07/20 18:58:04 (permalink)
    0
    oheigl
    Hi Dirk,
    I just tried it with a trace I took yesterday, and it doesn't seem to work. There is only one packet (should be 259) and Wireshark tells me that the FCS is incorrect. No other packets are listed.
     
    I appreciate the work you put into this, but why don't you use the compiled version linked in this KB: http://kb.fortinet.com/kb/documentLink.do?externalID=FD30877
    Did it not work for you?
    Kind regards


    This worked a treat in July 2021 running from CMD on Windows 10. I pasted the output of a level "6" CLI sniffer run & it went into Wireshark pcap format perfectly. Thanks, heaps.
    #10
    Jump to:
    © 2021 APG vNext Commercial Version 5.5