Skip to content

sanderzegers/fortigate-extcap

BranchesTags

Repository files navigation

Wireshark Extcap extension for FortiGate

License

Description

With this Wireshark Extcap plugin, you can capture traffic from FortiGate firewalls directly in Wireshark — no extra tools or manual exports needed.

Wireshark Screenshot

Features

  • Capture & stream packets directly from the FortiGate into Wireshark in PCAPng format
  • Per-packet interface name and traffic direction (inbound/outbound) visible in Wireshark
  • Automatic SSH session exclusion from capture
  • SSH agent and password authentication
  • Run multiple live capture sessions simultaneously
  • Automatic multi-VDOM detection and support
  • Configurable packet count limit
  • Easy installation

Installation

  1. Download the binary for your platform from the Releases page.
  2. Copy it to your Wireshark extcap folder: open Wireshark, go to Help → About Wireshark → Folders → Personal Extcap Path, and click the location to open it.
  3. Linux/macOS only: make the binary executable: chmod a+x fortigate-extcap
  4. Restart Wireshark. The plugin appears as FortiGate Remote Capture in the capture interface list.

For more detail, see the Help Documentation.

Usage

Once installed, the plugin appears in Wireshark's capture options as FortiGate Remote Capture (SSH). The interface is listed as fortidump — this is the plugin's internal identifier. Click the gear icon to enter the FortiGate address, credentials, and capture settings, then double-click the interface to start capturing.

For detailed configuration, authentication setup, and troubleshooting, see the Help Documentation.

Building from Source

To build the binary on your local machine, make sure Go and Git are installed. You can find the plugin folder location in the installation instructions.

Prerequisites: go and git (example for Debian-based systems):

apt install git golang-go
git clone https://github.com/sanderzegers/fortigate-extcap.git
cd fortigate-extcap
make build
mkdir -p $HOME/.local/lib/wireshark/extcap
cp fortigate-extcap $HOME/.local/lib/wireshark/extcap/fortigate-extcap

Known limitations

  • Capture speed is limited by the FortiGate's text-based hexdump output over SSH. See Help Documentation for details.

License

This project is licensed under the GNU General Public License v2.0.

About

Capture live network traffic from FortiGate directly in Wireshark

Topics

pcap wireshark fortigate packet-capture extcap

Resources

Readme

License

GPL-2.0 license
Activity

Stars

4 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases 6

v0.6.0 Latest
Apr 20, 2026
+ 5 releases

Packages

 
 
 

Contributors

Languages