Fortinet FortiMail-100 Install Manual page 166

Troubleshooting tools
166
FortiMail units have a built-in sniffer. Packet capture on FortiMail units is similar to that of
FortiGate units. To use the built-in sniffer, connect to the CLI and enter the following
command:
diagnose sniffer interfaces <interface_str> '<filter_str>'
verbose <verboselevel_int>
where:
• <interface_str> is the name of a network interface, such as port1
• '<filter_str>' is the sniffer filter that specifies which protocols and port numbers
that you do or do not want to capture, such as 'tcp port 25'
• <verboselevel_int> is an integer indicating the depth of packet headers and
payloads to display: 1 for header only, 2 for IP header and payload, or 3 for Ethernet
header and payload
This command prints packet capture output to your CLI display until you stop it by
pressing Ctrl + C.
Note: Packet capture can be very resource intensive. To minimize the performance impact
on your FortiMail unit, use packet capture only during periods of minimal traffic, with a serial
console CLI connection rather than a Telnet or SSH CLI connection, and be sure to stop the
command when you are finished.
For example, you might selectively capture packets for FortiGuard Antispam queries
occurring through port1 (commands that you would type are highlighted in bold;
responses from the FortiMail unit are not bolded):
FortiMail-400 # diag sniffer int port1 'udp port 8889' verbose 3
2.685841 172.16.1.10.47319 -> 212.95.252.120.8889: udp 64
0x0000 0009 0f84 27fe 0009 0f15 02e8 0800 4500....'.........E.
0x0010 005c 0000 4000 4011 44ff ac14 78a5 d45f.\..@.@.D...x.._
0x0020 fc78 b8d7 22b9 0048 9232 6968 726a b3c5.x.."..H.2ihrj..
0x0030 776c 2d2f 5a5f 545e 4555 5b5f 425b 545fwl-/Z_T^EU[_B[T_
0x0040 4559 6b6a 776b 646e 776c 6b6a 772b 646eEYkjwkdnwlkjw+dn
0x0050 776c 6b6a 776b 646e 776c 6b6a 776b 86a9wlkjwkdnwlkjwk..
0x0060 db73 21e1 5622 c618 7d6c
Instead of reading packet capture output directly in your CLI display, you usually should
save the output to a plain text file using your CLI client. Saving the output provides several
advantages. Packets can arrive more rapidly than you may be able to read them in the
buffer of your CLI display, and many protocols transfer data using encodings other than
US-ASCII. It is usually preferable to analyze the output by loading it into in a network
protocol analyzer application such as Wireshark (http://www.wireshark.org/).
For example, you could use Microsoft HyperTerminal or PuTTY to save the sniffer output.
Methods may vary. See the documentation for your CLI client.
To view sniffer output using HyperTerminal and Wireshark
1 Type the sniffer CLI command, such as:
diag sniffer int port1 'tcp port 143' verbose 3
2 After you type the sniffer command but before you press Enter, go to Transfer >
Capture Text....
3 Select the name and location of the output file, such as C:\Documents and
Settings\username\fortimail_sniff.txt.
4 Press Enter to send the CLI command to the FortiMail unit, beginning packet capture.
FortiMail™ Secure Messaging Platform Version 4.0 Patch 1 Install Guide
Testing the installation
.s!.V"..}l
Revision 2
http://docs.fortinet.com/ • Feedback