This is a static archive of our old Q&A Site. Please post any new questions and answers at

Adding VLAN Tag on Wireshark capture


Hi all, I have basic Wireshark capture (HTTP, CAP format) I would like to put VLAN Tag label on this capture, I mean I want to have the original capture with encapsulate of VLAN ID. For this purpose I having Cisco SW Layer 2 and Layer 3 if needed and two PCs , I am using “bittwist” software to inject the XXX.CAP capture to the SW. I also tried to do span port (Monitoring port) at Layer 2 SW but I didn’t success to see VLAN tag at the destination port (I add the column of dot1q at the Wireshark Software)

Anyone can figure how to do it ?

asked 10 May '12, 00:06

Ariel%20Goldenberg's gravatar image

Ariel Golden...
accept rate: 0%

2 Answers:


I'm assuming that your CAP file (that you're injecting using bittwist) has in fact VLAN tags. If you're setting up a span port you need to tell the switch to keep the VLAN information intact, because Cisco switches remove the VLAN tag when spanning. You should set up your monitor session with the "encapsulation dot1q" parameter when defining it.

answered 10 May '12, 00:12

Jasper's gravatar image

Jasper ♦♦
accept rate: 18%

Wow thanks for your quick response, I don’t know if the CAP file was in VLAN tag, I did exactly what you suggest with the span port (LACP). Look at the configuration file , I’m using Cisco SW 2940 Ver. 12.1(22).

(10 May '12, 00:57) Ariel Golden...

Looks like I would need a code to unlock the file... strange service to host a file. Maybe you can just post your monitor command sequence - that could speed things up.

Anyway, the CAP file you're injecting using bittwist should contain VLAN tags, which you can easily verify by looking at the file in Wireshark - if it has VLAN tags, it will show them :-) Then, after you made sure the file has VLAN tags you can do the injection, and your monitor port should show the packets with tags if your SPAN session is configured correctly.

(10 May '12, 01:09) Jasper ♦♦

The file witout VLAN Tag (Only regular HTTP),

monitor session 1 source interface Fa0/1 monitor session 1 destination interface Fa0/8 encapsulation dot1q ingress vlan 100

Here another link for this file


(10 May '12, 02:29) Ariel Golden...

The monitor session configuration looks okay - if you want to add VLAN tags by injecting it on a trunk and then capture the tagged packets the monitor session should just do that. Of course your NIC that you capture with must be able to accept VLAN tagged frames (and not drop them, as some do).

But if you just want add VLAN tags to your file you could do that with tcprewrite, for example:

tcprewrite --enet-vlan=add --enet-vlan-tag=40 --enet-vlan-cfi=1 --enet-vlan-pri=4 --infile=input.pcap --outfile=output.pcap


(10 May '12, 02:38) Jasper ♦♦

Let me try with tcpwrite ...

(10 May '12, 02:46) Ariel Golden...

can you send me the download link .... Should I need to use Linux or there is Windows Compatible version?

(10 May '12, 02:52) Ariel Golden...

Downloads are at - but I think they're all source code only, so you'd have to compile it first. There probably are binaries in the various Linux distribution package management systems, but I haven't checked lately. On Debian/Ubuntu you could do an "apt-cache search tcprewrite" which should tell you if there is a package.

I always used the linux version myself, so I can't tell you if the Windows version is any good.

(10 May '12, 03:05) Jasper ♦♦

There is no Windows release of tcpreplay ?

(10 May '12, 04:49) Ariel Golden...

Well, there is a source you could compile, but then again that is not something we're used to do on Windows... so unless you can compile it or find someone to do that for you there is binary release afaik.

(10 May '12, 07:44) Jasper ♦♦

I couldn’t success to install it on Linux, I don’t have experience with LINUX , Can I have this application “tcp replay” “tcpwrite” to WINDOWS platform ?

(13 May '12, 04:50) Ariel Golden...
showing 5 of 10 show 5 more comments


Have you checked whether your NIC strips the vlan tags before Wireshark gets hold of the packets? Have a look at for instructions for configuring several NICs to not strip the vlan tags.

answered 10 May '12, 16:01

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

I want to be clear , I'm having Capture (Without VLAN TAG). I want to have this Capture with VLAN tagging (VLAN 100 for example)

The scenario I having is: I play this capture from my PC with bittwist to Cisco SW (port1) and configure monitor port from port 1 to destination port 8 , I connect at port 8 PC with Wireshark and I want to recorder this Capture with VLAN Tag.

(13 May '12, 04:48) Ariel Golden...