A PCAP (Packet Capture) is a recording of raw network traffic. It lets you see exactly what packets are flowing, including headers, payloads, and timing.
Tools
| Tool | Where |
|---|---|
tcpdump | Linux CLI, F5 bash, FortiGate sniffer |
| Wireshark | GUI viewer for .pcap files, open via WinSCP |
| FortiGate sniffer | diagnose sniffer packet |
| Netskope client debug | Via advanced debugging in the client |
FortiGate syntax
Live view:
diagnose sniffer packet any "host <ip>" 4 0 l
Save to file (view in Wireshark):
diagnose sniffer packet any "host <ip>" 4 0 l > /var/tmp/capture.pcap
F5 syntax
tcpdump -nni 0.0:nnnp -s0 -w /var/tmp/ticketnumber.pcap host x.x.x.x
Retrieve via WinSCP with shell set to bash.