Multiple GUI Packet Captures at the same time

In FortiOS 7.4, Fortinet enhanced the ability to do multiple packet captures from the GUI.  This is very useful when you are trying to see packets as they ingress and egress the various interfaces.  To do this, you need to navigate to Network and then Diagnostic

Once there, you choose New packet capture

You can then choose (1) interfaces, (2) names for the capture file once saved, the (3) IP and (4) Protocol in my example, however you can choose more.

For my example, we are using my WiFi SSID and naming it Off-to-Quad1s and we are filtering out 1.1.1.1 and protocol 1 for ICMP.

Once you have the proper filtering configured and you have started the capture, you can minimize this window.

Then choose to New Packet Capture again and fill in the particulars

You will see the previous one in a status of Running

Here we can see that I am choosing the gigapower interface.  The idea here is to see the packet coming into the FortiGate un-NAT’d and seeing it egress the FortiGate, properly NAT’d

Now we can start the ping.  You will remember that we are filtering 1.1.1.1 and only ICMP.

While the capture(s) are active, when you hover over the capture, you will see two pop-ups view and stop.

When you choose view, you can see the packets coming from multiple inside hosts,

However here you can see less packets as the previous one.  This is due to PAT (Port Address Translation).

I stopped the captures and here you can see that they will expire.  Today’s date is 2024/05/07 as you can see it is kept for 7 days.

Another nice feature is to keep in-line with the other FortiGate screens, when you hover over the IP’s it will show you information about that IP.