This article describes how to do a sniff on offloaded traffic in NP7.
Solution
FGT SITE A — overlay ip 10.166.242.2 (wan interface IP 10.47.0.157)– site to site vpn – (wan interface ip 10.47.1.134) 10.166.242.1 overlay ip – FGT Site B
Step 1: On this scenario the esp packets that is offloaded on NP7 will be captured.
# diagnose npu sniffer filter intf port1
# diagnose npu sniffer filter protocol 50
# diagnose npu sniffer filter dir 2
# diagnose npu sniffer start- Port1 is the interface set where the sniff will listen to. Wherein port1 is where the VPN is configured.
- Protocol 50 is the esp protocol to capture.
- Dir has 3 options (0 – ingress, 1 – egress, 2- both) in case to capture both ingress and egress.
Step 2: Now this is the diag sniff command to run the sniff for np.
# diagnose sniffer packet npudbg ‘ ‘ 6 0 aSample output:
========================================
FG181F-2 # diagnose npu sniffer filter intf port1
FG181F-2 # diagnose npu sniffer filter protocol 50
FG181F-2 # diagnose npu sniffer filter dir 2
FG181F-2 # diagnose npu sniffer start
start sniffer with 1 filter(s)
FG181F-2 # diagnose sniffer packet npudbg ' ' 6 0 a
interfaces=[npudbg]
filters=[ ]
pcap_lookupnet: npudbg: no IPv4 address assigned
2022-09-29 05:51:33.138406 npudbg -- 10.47.0.157 -> 10.47.1.134: ESP(spi=0xf36f5f69,seq=0x2)
0x0000 0049 7269 2b01 04d5 90d5 40d6 0800 4500 [email protected].
0x0010 0098 d802 0000 3f32 8cb1 0a2f 009d 0a2f ......?2.../.../
0x0020 0186 f36f 5f69 0000 0002 7801 6734 cf67 ...o_i....x.g4.g
0x0030 4353 b2aa 8e40 1e91 886c abcf 9b02 05fe [email protected]......
0x0040 5322 78a7 a57f 13a7 8ac1 5451 0757 0a2c S"x.......TQ.W.,
0x0050 3dc6 1a7d 92f6 ff34 eabb ce79 059b 633d =..}...4...y..c=
0x0060 e81a da1a 77c8 b2bb ce2f 7322 c090 4059 ....w..../s"..@Y
0x0070 4715 4d18 794e 1c69 2d2f 2896 d902 50d1 G.M.yN.i-/(...P.
0x0080 115e 5aa8 4ecc cba2 3e0e f698 b913 629e .^Z.N...>.....b.
0x0090 eb63 85d1 3c50 e164 94a8 9522 a468 9864 .c..<p.d...".h.d 0x00a0="" c3dd="" d5f7="" 00d0="" ......="" 2022-09-29="" 05:51:33.139119="" npudbg="" --="" 10.47.1.134="" -=""> 10.47.0.157: ESP(spi=0xcb5ac2a8,seq=0x2)
0x0000 04d5 90d5 40d6 0049 7269 2b01 0800 4500 [email protected]+...E.
0x0010 0098 0100 0000 3f32 63b4 0a2f 0186 0a2f ......?2c../.../
0x0020 009d cb5a c2a8 0000 0002 0c21 ba65 ae7f ...Z.......!.e..
0x0030 c1d4 46e1 9cc5 81bb a128 8372 dd95 ad3b ..F......(.r...;
0x0040 6c17 ffed 27d4 7be2 74c7 eac7 d89f a981 l...'.{.t.......
0x0050 ea63 4646 5561 7e94 4b6c 6e2b e65b 873d .cFFUa~.Kln+.[.=
0x0060 6c7d 0209 b033 1323 3723 dd17 cb14 c603 l}...3.#7#......
0x0070 8054 d9ab 7ce2 6128 d8ff b2ab d063 f681 .T..|.a(.....c..
0x0080 fc5f c150 2066 2d2d 5ab3 cd96 96cd dfc9 ._.P.f--Z.......
0x0090 fe2c 5f18 4245 283f fdd1 489c 68b6 388b .,_.BE(?..H.h.8.
0x00a0 2357 cdad bef6 #W....
2022-09-29 05:51:34.138387 npudbg -- 10.47.0.157 -> 10.47.1.134: ESP(spi=0xf36f5f69,seq=0x3)
0x0000 0049 7269 2b01 06d5 90d5 40d6 0800 4500 [email protected].
0x0010 0098 ac09 0000 ff32 f8a9 0a2f 009d 0a2f .......2.../.../
0x0020 0186 f36f 5f69 0000 0003 7190 fdce e5ed ...o_i....q.....
0x0030 3e6a 3f28 b2ae 2193 67b0 b367 ef5a e1df >j?(..!.g..g.Z..
0x0040 eece 9cf7 42d3 c3c9 9f72 c564 ea9e 4f1b ....B....r.d..O.
0x0050 8cbe 63dc 2447 4321 8ae4 cdb5 0380 b2fe ..c.$GC!........
0x0060 d0e4 f18c 670f 21c2 ad8e 90a5 8055 01b6 ....g.!......U..
0x0070 e937 95b3 77c0 7c4d fa9c 5ded e25e 1cf8 .7..w.|M..]..^..
0x0080 044b 0bdb 7cdb 77cd 6a52 c6c0 a6c6 eb85 .K..|.w.jR......
0x0090 08ac 13b5 82ca 29cc ee5b 51c8 5b12 3dd2 ......)..[Q.[.=.
0x00a0 aa52 299c 8f4b .R)..K
2022-09-29 05:51:34.138532 npudbg -- 10.47.1.134 -> 10.47.0.157: ESP(spi=0xcb5ac2a8,seq=0x3)
0x0000 04d5 90d5 40d6 0049 7269 2b01 0800 4500 [email protected]+...E.
0x0010 0098 0200 0000 3f32 62b4 0a2f 0186 0a2f ......?2b../.../
0x0020 009d cb5a c2a8 0000 0003 c3fa addb c4fa ...Z............
0x0030 97f4 069b 20bd 1348 a85d 4b95 f4ad d43d .......H.]K....=
0x0040 2fb1 6107 4d7b 043c 02c5 af48 4e94 dffd /.a.M{.<...HN...
0x0050 afdd 229e 9af6 5433 c576 ade2 1c2d 5804 .."...T3.v...-X.
0x0060 77fc d3e4 b024 9fd1 5e51 0a55 ed2e 57e7 w....$..^Q.U..W.
0x0070 793a a311 1414 0459 dfb2 5268 3ecb 5e5f y:.....Y..Rh>.^_
0x0080 3a82 218a 8bcd 89c3 ce48 68c3 f0cb e601 :.!......Hh.....
0x0090 21d4 bac8 723f 78ce ce3e 3cc0 88b7 84cf !...r?x..><.....
0x00a0 bcce 6cc7 7017 ..l.p.
2022-09-29 05:51:35.138400 npudbg -- 10.47.0.157 -> 10.47.1.134: ESP(spi=0xf36f5f69,seq=0x4)
0x0000 0049 7269 2b01 06d5 90d5 40d6 0800 4500 [email protected].
0x0010 0098 ac0a 0000 ff32 f8a8 0a2f 009d 0a2f .......2.../.../
0x0020 0186 f36f 5f69 0000 0004 e592 c2e3 1e56 ...o_i.........V
0x0030 75a3 89d0 d5b9 5908 94d6 cfd4 583f cdf9 u.....Y.....X?..
0x0040 a869 c219 2335 2f50 8d6c b48a 044f c009 .i..#5/P.l...O..
0x0050 407f 6a2c 9569 82fd 57a7 cef4 9b9b 70b9 @.j,.i..W.....p.
0x0060 4a80 f389 2b79 4396 e13b bf8e 2f1a ba0c J...+yC..;../...
0x0070 e6ab 511e 4176 96ea 62ea e9c8 01c0 09db ..Q.Av..b.......
0x0080 fbea 756d eba5 8aa2 cf75 795e 2b63 8935 ..um.....uy^+c.5
0x0090 cc89 cae4 8436 c3ff 5115 6a9d 8ae7 311f .....6..Q.j...1.
0x00a0 d571 98e9 725c .q..r\
2022-09-29 05:51:35.138551 npudbg -- 10.47.1.134 -> 10.47.0.157: ESP(spi=0xcb5ac2a8,seq=0x4)
0x0000 04d5 90d5 40d6 0049 7269 2b01 0800 4500 [email protected]+...E.
0x0010 0098 0300 0000 3f32 61b4 0a2f 0186 0a2f ......?2a../.../
0x0020 009d cb5a c2a8 0000 0004 62fb 6d11 aa41 ...Z......b.m..A
0x0030 5ac6 a475 2f98 3d01 7d12 7615 fc21 87e2 Z..u/.=.}.v..!..
0x0040 ded4 7ef4 8cfd 7462 faa9 be1e 0331 b862 ..~...tb.....1.b
0x0050 2329 a25c d356 ed88 d7f0 c140 a4d9 3892 #).\[email protected].
0x0060 7391 1735 cb54 3178 ae0f 5e39 2523 fa28 s..5.T1x..^9%#.(
0x0070 5d9d 5652 af87 d2ba f762 228f 6627 d6b7 ].VR.....b".f'..
0x0080 1270 3df7 b4d2 28a9 3771 8787 4d3b c8e9 .p=...(.7q..M;..
0x0090 1037 2570 005d 4e2f 86b0 645f ff87 db35 .7%p.]N/..d_...5
0x00a0 5ad6 c1fb fc10 Z.....
2022-09-29 05:51:36.138414 npudbg -- 10.47.0.157 -> 10.47.1.134: ESP(spi=0xf36f5f69,seq=0x5)
0x0000 0049 7269 2b01 06d5 90d5 40d6 0800 4500 [email protected].
0x0010 0098 ac0b 0000 ff32 f8a7 0a2f 009d 0a2f .......2.../.../
0x0020 0186 f36f 5f69 0000 0005 faa6 c0c3 f43c ...o_i.........<
0x0030 e7cd df8b 3503 8133 5584 8dcf b1b5 89e0 ....5..3U.......
0x0040 855c 5427 8fe5 ee27 c3b8 db2c 3fef 0ad4 .\T'...'...,?...
0x0050 76d1 ce8c 3b98 5c89 6e4e d773 150c 0a41 v...;.\.nN.s...A
0x0060 3c3b 59f4 ac09 c81d d7bb b44d 7ff5 46f5 <;Y........M..F.
0x0070 622a d768 cbbc f5f0 2ea6 437e bc9c 4d65 b*.h......C~..Me
0x0080 6855 ae93 73bc 452a 73f3 cfb8 a17e b5fd hU..s.E*s....~..
0x0090 3d8d a211 360c fa3b 3447 96d6 8a39 52a3 =...6..;4G...9R.
0x00a0 9fe6 9569 9c9e ...i..
2022-09-29 05:51:36.138576 npudbg -- 10.47.1.134 -> 10.47.0.157: ESP(spi=0xcb5ac2a8,seq=0x5)
0x0000 04d5 90d5 40d6 0049 7269 2b01 0800 4500 [email protected]+...E.
0x0010 0098 0400 0000 3f32 60b4 0a2f 0186 0a2f ......?2`../.../
0x0020 009d cb5a c2a8 0000 0005 7c96 96e6 f053 ...Z......|....S
0x0030 a5d2 20e9 1f37 2427 dc1b 6d97 3930 b4aa .....7===================================================
Step 3: Then, it is possible to run now diag vpn tunnel list to see the details to use and decrypt this packet capture.
Alex Lim
Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook
