We are trying to capture VLAN tagged packets on a Cisco Catalyst 3750. We have a VoIP phone that boots on our DATA VLAN and gets settings pushed to it from DHCP Scope option 242. One of these options tells the phone to boot on the VoIP VLAN.
Anyways, I've been doing a simple "monitor session" on the Cisco Catalyst for this but it doesn't appear we're seeing all of the VLAN tagged data. Our vendor suggests the best solution is to break out and use a hub. I tend to agree, but would like to know if I was over-looking a capture option on the Cisco platform.
asked 15 Sep '10, 14:01
In order for the 3750 to keep vlan tags when spanning a trunk port, you need to add encapsulation replicate when configuring your destination port.
Of course you also need to make sure that your capturing device does not strip the tags. See: http://wiki.wireshark.org/CaptureSetup/VLAN
However, when you enter the encapsulation replicate keywords when configuring a destination port, these changes occur:
•Packets are sent on the destination port with the same encapsulation—untagged, IEEE 802.1Q, or Inter-Switch Link (ISL)—that they had on the source port.
•Packets of all types, including BPDU and Layer 2 protocol packets are monitored.
Therefore, a local SPAN session with encapsulation replicate enabled can have a mixture of untagged, 802.1Q, and ISL tagged packets appear on the destination port.
answered 15 Sep '10, 14:08
edited 15 Sep '10, 14:42
In addition to this you may also need to configure your OS/Driver to pass the Vlan tag to Wireshark. How to do this see http://wiki.wireshark.org/CaptureSetup/VLAN
answered 15 Sep '10, 14:38