This article describes how to do a sniff on offloaded traffic in NP7.
Solution
FGT SITE A — overlay ip 10.166.242.2 (wan interface IP 10.47.0.157)– site to site vpn – (wan interface ip 10.47.1.134) 10.166.242.1 overlay ip – FGT Site B
Step 1: On this scenario the esp packets that is offloaded on NP7 will be captured.
# diagnose npu sniffer filter intf port1
# diagnose npu sniffer filter protocol 50
# diagnose npu sniffer filter dir 2
# diagnose npu sniffer start
- Port1 is the interface set where the sniff will listen to. Wherein port1 is where the VPN is configured.
- Protocol 50 is the esp protocol to capture.
- Dir has 3 options (0 – ingress, 1 – egress, 2- both) in case to capture both ingress and egress.
Step 2: Now this is the diag sniff command to run the sniff for np.
# diagnose sniffer packet npudbg ‘ ‘ 6 0 a
Sample output:
========================================
FG181F-2 # diagnose npu sniffer filter intf port1
FG181F-2 # diagnose npu sniffer filter protocol 50
FG181F-2 # diagnose npu sniffer filter dir 2
FG181F-2 # diagnose npu sniffer start
start sniffer with 1 filter(s)
FG181F-2 # diagnose sniffer packet npudbg ' ' 6 0 a
interfaces=[npudbg]
filters=[ ]
pcap_lookupnet: npudbg: no IPv4 address assigned
2022-09-29 05:51:33.138406 npudbg -- 10.47.0.157 -> 10.47.1.134: ESP(spi=0xf36f5f69,seq=0x2)
0x0000 0049 7269 2b01 04d5 90d5 40d6 0800 4500 .Iri+.....@...E.
0x0010 0098 d802 0000 3f32 8cb1 0a2f 009d 0a2f ......?2.../.../
0x0020 0186 f36f 5f69 0000 0002 7801 6734 cf67 ...o_i....x.g4.g
0x0030 4353 b2aa 8e40 1e91 886c abcf 9b02 05fe CS...@...l......
0x0040 5322 78a7 a57f 13a7 8ac1 5451 0757 0a2c S"x.......TQ.W.,
0x0050 3dc6 1a7d 92f6 ff34 eabb ce79 059b 633d =..}...4...y..c=
0x0060 e81a da1a 77c8 b2bb ce2f 7322 c090 4059 ....w..../s"..@Y
0x0070 4715 4d18 794e 1c69 2d2f 2896 d902 50d1 G.M.yN.i-/(...P.
0x0080 115e 5aa8 4ecc cba2 3e0e f698 b913 629e .^Z.N...>.....b.
0x0090 eb63 85d1 3c50 e164 94a8 9522 a468 9864 .c..<p.d...".h.d 0x00a0="" c3dd="" d5f7="" 00d0="" ......="" 2022-09-29="" 05:51:33.139119="" npudbg="" --="" 10.47.1.134="" -=""> 10.47.0.157: ESP(spi=0xcb5ac2a8,seq=0x2)
0x0000 04d5 90d5 40d6 0049 7269 2b01 0800 4500 ....@..Iri+...E.
0x0010 0098 0100 0000 3f32 63b4 0a2f 0186 0a2f ......?2c../.../
0x0020 009d cb5a c2a8 0000 0002 0c21 ba65 ae7f ...Z.......!.e..
0x0030 c1d4 46e1 9cc5 81bb a128 8372 dd95 ad3b ..F......(.r...;
0x0040 6c17 ffed 27d4 7be2 74c7 eac7 d89f a981 l...'.{.t.......
0x0050 ea63 4646 5561 7e94 4b6c 6e2b e65b 873d .cFFUa~.Kln+.[.=
0x0060 6c7d 0209 b033 1323 3723 dd17 cb14 c603 l}...3.#7#......
0x0070 8054 d9ab 7ce2 6128 d8ff b2ab d063 f681 .T..|.a(.....c..
0x0080 fc5f c150 2066 2d2d 5ab3 cd96 96cd dfc9 ._.P.f--Z.......
0x0090 fe2c 5f18 4245 283f fdd1 489c 68b6 388b .,_.BE(?..H.h.8.
0x00a0 2357 cdad bef6 #W....
2022-09-29 05:51:34.138387 npudbg -- 10.47.0.157 -> 10.47.1.134: ESP(spi=0xf36f5f69,seq=0x3)
0x0000 0049 7269 2b01 06d5 90d5 40d6 0800 4500 .Iri+.....@...E.
0x0010 0098 ac09 0000 ff32 f8a9 0a2f 009d 0a2f .......2.../.../
0x0020 0186 f36f 5f69 0000 0003 7190 fdce e5ed ...o_i....q.....
0x0030 3e6a 3f28 b2ae 2193 67b0 b367 ef5a e1df >j?(..!.g..g.Z..
0x0040 eece 9cf7 42d3 c3c9 9f72 c564 ea9e 4f1b ....B....r.d..O.
0x0050 8cbe 63dc 2447 4321 8ae4 cdb5 0380 b2fe ..c.$GC!........
0x0060 d0e4 f18c 670f 21c2 ad8e 90a5 8055 01b6 ....g.!......U..
0x0070 e937 95b3 77c0 7c4d fa9c 5ded e25e 1cf8 .7..w.|M..]..^..
0x0080 044b 0bdb 7cdb 77cd 6a52 c6c0 a6c6 eb85 .K..|.w.jR......
0x0090 08ac 13b5 82ca 29cc ee5b 51c8 5b12 3dd2 ......)..[Q.[.=.
0x00a0 aa52 299c 8f4b .R)..K
2022-09-29 05:51:34.138532 npudbg -- 10.47.1.134 -> 10.47.0.157: ESP(spi=0xcb5ac2a8,seq=0x3)
0x0000 04d5 90d5 40d6 0049 7269 2b01 0800 4500 ....@..Iri+...E.
0x0010 0098 0200 0000 3f32 62b4 0a2f 0186 0a2f ......?2b../.../
0x0020 009d cb5a c2a8 0000 0003 c3fa addb c4fa ...Z............
0x0030 97f4 069b 20bd 1348 a85d 4b95 f4ad d43d .......H.]K....=
0x0040 2fb1 6107 4d7b 043c 02c5 af48 4e94 dffd /.a.M{.<...HN...
0x0050 afdd 229e 9af6 5433 c576 ade2 1c2d 5804 .."...T3.v...-X.
0x0060 77fc d3e4 b024 9fd1 5e51 0a55 ed2e 57e7 w....$..^Q.U..W.
0x0070 793a a311 1414 0459 dfb2 5268 3ecb 5e5f y:.....Y..Rh>.^_
0x0080 3a82 218a 8bcd 89c3 ce48 68c3 f0cb e601 :.!......Hh.....
0x0090 21d4 bac8 723f 78ce ce3e 3cc0 88b7 84cf !...r?x..><.....
0x00a0 bcce 6cc7 7017 ..l.p.
2022-09-29 05:51:35.138400 npudbg -- 10.47.0.157 -> 10.47.1.134: ESP(spi=0xf36f5f69,seq=0x4)
0x0000 0049 7269 2b01 06d5 90d5 40d6 0800 4500 .Iri+.....@...E.
0x0010 0098 ac0a 0000 ff32 f8a8 0a2f 009d 0a2f .......2.../.../
0x0020 0186 f36f 5f69 0000 0004 e592 c2e3 1e56 ...o_i.........V
0x0030 75a3 89d0 d5b9 5908 94d6 cfd4 583f cdf9 u.....Y.....X?..
0x0040 a869 c219 2335 2f50 8d6c b48a 044f c009 .i..#5/P.l...O..
0x0050 407f 6a2c 9569 82fd 57a7 cef4 9b9b 70b9 @.j,.i..W.....p.
0x0060 4a80 f389 2b79 4396 e13b bf8e 2f1a ba0c J...+yC..;../...
0x0070 e6ab 511e 4176 96ea 62ea e9c8 01c0 09db ..Q.Av..b.......
0x0080 fbea 756d eba5 8aa2 cf75 795e 2b63 8935 ..um.....uy^+c.5
0x0090 cc89 cae4 8436 c3ff 5115 6a9d 8ae7 311f .....6..Q.j...1.
0x00a0 d571 98e9 725c .q..r\
2022-09-29 05:51:35.138551 npudbg -- 10.47.1.134 -> 10.47.0.157: ESP(spi=0xcb5ac2a8,seq=0x4)
0x0000 04d5 90d5 40d6 0049 7269 2b01 0800 4500 ....@..Iri+...E.
0x0010 0098 0300 0000 3f32 61b4 0a2f 0186 0a2f ......?2a../.../
0x0020 009d cb5a c2a8 0000 0004 62fb 6d11 aa41 ...Z......b.m..A
0x0030 5ac6 a475 2f98 3d01 7d12 7615 fc21 87e2 Z..u/.=.}.v..!..
0x0040 ded4 7ef4 8cfd 7462 faa9 be1e 0331 b862 ..~...tb.....1.b
0x0050 2329 a25c d356 ed88 d7f0 c140 a4d9 3892 #).\.V.....@..8.
0x0060 7391 1735 cb54 3178 ae0f 5e39 2523 fa28 s..5.T1x..^9%#.(
0x0070 5d9d 5652 af87 d2ba f762 228f 6627 d6b7 ].VR.....b".f'..
0x0080 1270 3df7 b4d2 28a9 3771 8787 4d3b c8e9 .p=...(.7q..M;..
0x0090 1037 2570 005d 4e2f 86b0 645f ff87 db35 .7%p.]N/..d_...5
0x00a0 5ad6 c1fb fc10 Z.....
2022-09-29 05:51:36.138414 npudbg -- 10.47.0.157 -> 10.47.1.134: ESP(spi=0xf36f5f69,seq=0x5)
0x0000 0049 7269 2b01 06d5 90d5 40d6 0800 4500 .Iri+.....@...E.
0x0010 0098 ac0b 0000 ff32 f8a7 0a2f 009d 0a2f .......2.../.../
0x0020 0186 f36f 5f69 0000 0005 faa6 c0c3 f43c ...o_i.........<
0x0030 e7cd df8b 3503 8133 5584 8dcf b1b5 89e0 ....5..3U.......
0x0040 855c 5427 8fe5 ee27 c3b8 db2c 3fef 0ad4 .\T'...'...,?...
0x0050 76d1 ce8c 3b98 5c89 6e4e d773 150c 0a41 v...;.\.nN.s...A
0x0060 3c3b 59f4 ac09 c81d d7bb b44d 7ff5 46f5 <;Y........M..F.
0x0070 622a d768 cbbc f5f0 2ea6 437e bc9c 4d65 b*.h......C~..Me
0x0080 6855 ae93 73bc 452a 73f3 cfb8 a17e b5fd hU..s.E*s....~..
0x0090 3d8d a211 360c fa3b 3447 96d6 8a39 52a3 =...6..;4G...9R.
0x00a0 9fe6 9569 9c9e ...i..
2022-09-29 05:51:36.138576 npudbg -- 10.47.1.134 -> 10.47.0.157: ESP(spi=0xcb5ac2a8,seq=0x5)
0x0000 04d5 90d5 40d6 0049 7269 2b01 0800 4500 ....@..Iri+...E.
0x0010 0098 0400 0000 3f32 60b4 0a2f 0186 0a2f ......?2`../.../
0x0020 009d cb5a c2a8 0000 0005 7c96 96e6 f053 ...Z......|....S
0x0030 a5d2 20e9 1f37 2427 dc1b 6d97 3930 b4aa .....7
===================================================
Step 3: Then, it is possible to run now diag vpn tunnel list to see the details to use and decrypt this packet capture.