This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

window7 automatically remove the outer vlan tag?

0

JDSU traffic generator is used to generate traffic(outer vlan 500,inner vlan 50) to pc(window7) and the packet captured in wireshark is shown: http://cloudshark.org/captures/d302f8040a52

JDSU traffic generator is used to generate traffic(outer vlan 500,inner vlan 50) to JDSU-MTS5800 and the packet captured in wireshark inside JDSU-MTS5800 is shown: http://cloudshark.org/captures/7e88043f2e0d

The traffic generator is the same and with the same configuration. However, the packet capture result is different. One interesting is that, the value for the outer tag, located at 0x0C to 0x0F, which is 81 00 01 f4 seems to be automatically removed at window7, pc environment, and the inner tag 81 00 00 32 exist in both case but in different location.

Thus, I wonder is it window7, pc environment,automatically remove the outer tag?

more information about MTS5800: http://www.jdsu.com/en-us/Test-and-Measurement/Products/a-z-product-list/Pages/mts-5800-handheld-network-tester.aspx

asked 12 Nov '12, 22:22

bennettfan's gravatar image

bennettfan
6224
accept rate: 0%

I experienced the same as bennettfan as above. I used 2950 Cisco switch to do the monitor for wireshark with the same NIC Intel(R) 82567LM Gigabit Network Connection. I also followed your instruction in adding "MonitorEnableModed" in Regedit, but VLAN and COS still not appear in wireshark logfile. Do you have any suggestion?

(29 Jun '15, 18:43) Hieuro

2 Answers:

1

Thus, I wonder is it window7, pc environment,automatically remove the outer tag?

It's not windows itself, as there is no VLAN tag functionality in the Windows 7 kernel. But the driver of your NIC may (or may not) remove/modify the VLAN tag. So, what is the NIC in your capture PC?

Regards
Kurt

answered 12 Nov '12, 23:53

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Intel(R) 82567LM Gigabit Network Connection

Can I view the vlan tag without being removed/modified by the NIC driver?

(13 Nov '12, 00:07) bennettfan

please check my answer to the following question.

http://ask.wireshark.org/questions/15524/vlan-tagging-intel-82579lm-and-wireshark-183

Your driver should have the parameter MonitorMode (or MonitorModeEnabled) as well.

(13 Nov '12, 02:15) Kurt Knochner ♦

i have already enable before asking the question. Any other suggestion?

(15 Nov '12, 17:47) bennettfan

Do you transmit the packet over a switch? If so, the switch can also remove the outer tag, depending on its configuration.

(15 Nov '12, 23:49) Kurt Knochner ♦

0

Regarding Cisco switches, the following commands must be entered in global configuration mode:

Switch> en

Switch# config t

Switch(config)# monitor session 1 source int gi1/0/1

Switch(config)# monitor session 1 destination int gi1/0/16 encapsulation dot1q

This will copy all the traffic from port 1 to port 16 while keeping the VLAN tag on the frame. You do NOT need to set-up the destination port (16 in this example) as a trunk with 802.1q encapsulation.

answered 29 Jun '15, 19:46

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%

Thanks Amato for your suggestion. I've captured successfully following your instruction!

(29 Jun '15, 21:01) Hieuro