diagnostic packet capture incomplete - any tips to improve?

journeyman · ‎01-07-2018

Does anyone know how to improve the completeness of the diagnostic sniffer? Is there some system type setting that impacts this functionality?

I have noticed the output of the diagnostic sniffer often seems to only include session establishment type traffic, or perhaps it deliberately excludes in-session traffic (TCP obviously). I noticed this more often using capture level 4 (header and interface). Level 6 (bytes and interface) seems to more often include in-session traffic, but not in my current scenario.

The diagnose doco site does not mention anything about this although I'm sure I've seen disclaimers somewhere.

Currently I am fault-finding an application issue and packets I know are traversing a firewall are not being logged. I do see arp, session establishment and teardown, but not session traffic, and in this case I need to see that.

I am using commands of the form:

diagnose sniffer packet internal1 'host a.b.c.d' 6 0 a

The hardware is 60C, the unit is very lightly loaded (CPU usage is not an issue) and the traffic I'm trying to log is of the order of less than a packet per second.

Toshi_Esumi · ‎01-08-2018

Are you sure you disabled asic offloading at the policy?

set auto-asic-offload disable

View solution in original post

emnoc · ‎01-08-2018

A FGT60C has no ASIC out of a SOC ( SystemOnChip ) so I don't think you can disable that but give the commands a try.

I would 1st run a diag debug flow and look at the flow statistics.

PCNSE

NSE

StrongSwan

View solution in original post

Toshi_Esumi · ‎01-08-2018

Are you sure you disabled asic offloading at the policy?

set auto-asic-offload disable

emnoc · ‎01-08-2018

A FGT60C has no ASIC out of a SOC ( SystemOnChip ) so I don't think you can disable that but give the commands a try.

I would 1st run a diag debug flow and look at the flow statistics.

PCNSE

NSE

StrongSwan

journeyman · ‎01-08-2018

Thankyou! Like emnoc I wasn't expecting this to work but it did.

set auto-asic-offload disable in the policy results in full traffic logging in the sniffer (effective immediately the policy is changed). This setting was default enable and not visible without show full.

Very, very useful to know.

Question - should I leave the policy running auto-asic-offload disable, or only change that when logging is required?

FWIW, the trace only shows the same packets as the sniffer when the policy has the default setting of auto-asic-offload enable.

Toshi_Esumi · ‎01-08-2018

I would never leave it disabled due to performance concern unless it's just doing hiding packets from sniffing.

emnoc · ‎01-08-2018

What are you wanting ? pkt capture or flow-info? I Never use pkt-capture when insecting fwpolicy and flow statistics

PCNSE

NSE

StrongSwan

ede_pfau · ‎01-09-2018

As mentioned and as set by default, 'auto-asic-offload' should normally be enabled. Otherwise, even a couple of Mbps can place a heavy load on the CPU in a desktop FGT. (just look at other vendors' equipment, not featuring ASICs...)

If you need to debug, turn offloading off and look into the traffic. Don't forget to enable offloading again, and maybe stop logging traffic for that policy. YMMV.

Ede

"Kernel panic: Aiee, killing interrupt handler!"