JDSU traffic generator is used to generate traffic(outer vlan 500,inner vlan 50) to pc(window7) and the packet captured in wireshark is shown: http://cloudshark.org/captures/d302f8040a52 JDSU traffic generator is used to generate traffic(outer vlan 500,inner vlan 50) to JDSU-MTS5800 and the packet captured in wireshark inside JDSU-MTS5800 is shown: http://cloudshark.org/captures/7e88043f2e0d The traffic generator is the same and with the same configuration. However, the packet capture result is different. One interesting is that, the value for the outer tag, located at 0x0C to 0x0F, which is 81 00 01 f4 seems to be automatically removed at window7, pc environment, and the inner tag 81 00 00 32 exist in both case but in different location. Thus, I wonder is it window7, pc environment,automatically remove the outer tag? more information about MTS5800: http://www.jdsu.com/en-us/Test-and-Measurement/Products/a-z-product-list/Pages/mts-5800-handheld-network-tester.aspx asked 12 Nov '12, 22:22  bennettfan |
2 Answers:
It's not windows itself, as there is no VLAN tag functionality in the Windows 7 kernel. But the driver of your NIC may (or may not) remove/modify the VLAN tag. So, what is the NIC in your capture PC? Regards answered 12 Nov '12, 23:53  Kurt Knochner ♦ Intel(R) 82567LM Gigabit Network Connection Can I view the vlan tag without being removed/modified by the NIC driver? (13 Nov '12, 00:07) bennettfan please check my answer to the following question.
Your driver should have the parameter MonitorMode (or MonitorModeEnabled) as well. (13 Nov '12, 02:15) Kurt Knochner ♦ i have already enable before asking the question. Any other suggestion? (15 Nov '12, 17:47) bennettfan Do you transmit the packet over a switch? If so, the switch can also remove the outer tag, depending on its configuration. (15 Nov '12, 23:49) Kurt Knochner ♦ |
Regarding Cisco switches, the following commands must be entered in global configuration mode: Switch> en Switch# config t Switch(config)# monitor session 1 source int gi1/0/1 Switch(config)# monitor session 1 destination int gi1/0/16 encapsulation dot1q This will copy all the traffic from port 1 to port 16 while keeping the VLAN tag on the frame. You do NOT need to set-up the destination port (16 in this example) as a trunk with 802.1q encapsulation. answered 29 Jun '15, 19:46  Amato_C Thanks Amato for your suggestion. I've captured successfully following your instruction! (29 Jun '15, 21:01) Hieuro |
I experienced the same as bennettfan as above. I used 2950 Cisco switch to do the monitor for wireshark with the same NIC Intel(R) 82567LM Gigabit Network Connection. I also followed your instruction in adding "MonitorEnableModed" in Regedit, but VLAN and COS still not appear in wireshark logfile. Do you have any suggestion?