Skip to content

sanderzegers/fortigate-extcap

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
.github/workflows
.github/workflows
 
 
docs
docs
 
 
images
images
 
 
.gitignore
.gitignore
 
 
.goreleaser.yaml
.goreleaser.yaml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
fortidump.go
fortidump.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

Wireshark Extcap extension for Fortigate

License

Description

With this Wireshark Extcap plugin, you can capture traffic from FortiGate firewalls directly in Wireshark — no extra tools or manual exports needed.

Wireshark Screenshot

Features

  • Capture & Stream packets directly from the Fortigate into Wireshark
  • SSH password or SSH key authentication
  • Run multiple live capture sessions simultaneously
  • Fortigate VDOM Support
  • Easy installation

Installation

  1. Download the Latest Version
  • Visit the Releases page and download the version that matches your platform.
  1. Locate the Personal Extcap Folder
  • Open Wireshark.
  • Navigate to Help → About Wireshark → Folders → Personal Extcap Path.
  • Click the Location to open the Extcap folder.
  1. Copy the binary to the Extcap folder
  • From the downloaded release, copy the fortigate-extcap.exe (or the appropriate file for your platform) into the "Personal Extcap Path" directory.
  1. Restart Wireshark
  • Restart Wireshark to load the custom Extcap extension.

Quick Start

Once the plugin is installed, it will appear in Wireshark under the capture options as Fortigate Remote Capture (SSH): fortidump. Click the gear icon to configure the following parameters:

Server Tab

  • Fortigate Address: IP or hostname of the target Firewall.
  • Fortigate SSH Port: The SSH port used to connect.
  • Capture Filter: Capture filter in tcpdump format. Adjust this to match the traffic you're interested in.
  • Interface: The Fortigate interface where the capture will run.
  • Packet count: The maximum number of packets to capture.

Authentication Tab:

  • Username: SSH Username (eg admin). This user must have permissions to capture on the Fortigate
  • Password: The user's password or optionally the password for the SSH private key

Once everything is configured, start the Extcap by double-clicking it.

Building from Source

To build the binary on your local machine, make sure Go and Git are installed. You can find the plugin folder location in the installation instructions.

Prerequisites: go and git

apt install git golang-go
git clone https://github.com/sanderzegers/fortigate-extcap.git
cd fortigate-extcap
go build fortidump.go
mkdir -p $HOME/.local/lib/wireshark/extcap
cp fortidump $HOME/.local/lib/wireshark/extcap/fortigate-extcap

Known limitations

  • Capture speed is limited to about 10 packets per second, so the tcpdump filter must be set accordingly to limit forwarded packages.
  • This Extcap plugin is still under development. Currently it's in an early beta stage.

License

This project is licensed under the GNU General Public License v2.0.

About

Wireshark extcap interface for the Fortinet Fortigate

Topics

pcap wireshark fortigate extcap

Resources

Readme

License

GPL-2.0 license
Activity

Stars

3 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases 2

v0.0.2-alpha Latest
Nov 24, 2024
+ 1 release

Packages

No packages published

Languages