Some tips to use Wireshark

The Wireshark it's an important tool to add, in some cases, or complement your troubleshooting. Fortinet offers in their FortiGate Firewalls that resource directly on GUI, the local can change depending on firmware version.

On the 5.6 firmware branch, the unit needs a disk and logging to disk has to be enabled. Since the firmware version 6.0.2, this restriction has been removed.

You can go to menu "Analyze" and go to "Display Filter Expression..." a new panel will show up and there you will have all the filters that could be used. A good examples are:

There you will see the kind of parameter that you could apply in the filters like:

arp
icmp
udp
tcp

Filters for an ip address, source ip and destination:

ip. ip.addr == 8.8.8.8
ip.src == 172.16.99.102
ip.dst == 1.1.1.1

You can combine more than one in your filter search with the logical operators:

&& or and - Logical AND
|| - Logical OR
! or not - Logical NOT
== or eq - Equal
!= or ne - Not Equal
> or gt - Greater Than
< or lt - Less Than
>= or ge - Greater Than or Equal
<= or le - Less Than or Equal

So, we could combine:

icmp && ip.dst != 1.1.1.1

One of the most used filter is to find packets correlated with a specific URL, so the filter that I costume use:

tcp contains "google"
ip contains "google"

Filter to protocol and ports:

tcp.port == 443
udp.port == 53

Filter to search timeout and reset:

'tcp.flags eq 0x02' = timeout
"tcp.flags.reset==1" = reset

So, to layer 2 troubleshooting, we can use some filters like:

eth.addr ==XX:XX:00:00:XX:00
eth.src ==XX:XX:00:00:XX:00
eth.dst ==XX:XX:00:00:XX:00