Hello, I would like to see VLAN tags in Wireshark when using SPAN on switch. switch is configured properly to send output packets with their tags. OS is Windows t Pro x64, Laptop is Thinkpad X230. when I am edit registry "MonitorMode=1"/"MonitorModeEnabled=1", I see that Wireshark not show tagged packet at all. untagged packets displayed properly without any issue. if I remove "MonitorMode"/"MonitorModeEnabled", than all packets is displayed but without tagged information. any idea what is the problem? Thanks! asked 27 Dec '12, 00:31  leonm12 edited 27 Dec '12, 04:04  Jaap ♦ |
2 Answers:
Somehow the network card / card driver manages to filter them out before they are send up the stack to where WinPcap can pick them up. I'm not familiar with the this combination so can't really tell what to set, other then use Google some more, or maybe this Intel page. answered 27 Dec '12, 00:53 Jaap ♦ what Intel says now work for this card and wireshark.. (27 Dec '12, 01:01) leonm12 |
See my answer (and possible solutions therein) to the following question:
If that does not help: Boot your PC with BackTrack Linux (no installation needed) and capture there with Wireshark and/or tcpdump (cli: Regards answered 27 Dec '12, 01:25  Kurt Knochner ♦ edited 27 Dec '12, 02:16 when you BT it still not capture vlan tags. when applying this tcpdump filter there is no packet captured. I have tested the Cisco switch (connect it's SPAN to other network device) and I can see it replicate the vlan tag correctly. what else can cause it? is it about build in NIC? Thanks (31 Dec '12, 01:27) leonm12 According to information from Intel, the driver for the card does not strip VLAN tags by default on Linux.
Cite: To not strip VLAN tags: By default, the driver, in promiscuous mode, does not strip VLAN tags. HOWEVER I'm not sure what driver they are referring to. Maybe that's a proprietary driver from Intel. On the other side, I don't believe that any open source linux ethernet driver will ever strip VLAN tags by default. Conclusion: If you really see the VLAN tags of the same SPAN port on another system, but you don't see it on the mentioned Laptop (neither with Windows nor with Linux), there must be something wrong with the network card (other people report success, even on Windows 7). BTW: Do you use that adapter in a docking station? I don't think that will change anything, just want to check... (31 Dec '12, 01:41) Kurt Knochner ♦ I used the build in adapter, not docking station (31 Dec '12, 01:48) leonm12 O.K. I have no real idea then. Can you post the output of the following commands (while running BackTrack Linux).
BTW: If you run BackTrack, do you seen anything, if you omit the vlan filter for tcpdump?
(31 Dec '12, 02:00) Kurt Knochner ♦ yes, I can see the packet that way. how can I upload the files here? (31 Dec '12, 05:43) leonm12
you can't on this site. You can however upload it to google docs, your own web server, cloudshark.org or any one click file hoster. Beware of the privacy issues in doing so!! Anyway, if you see the packets now I would really like to see those packets as I suspect there a no VLAN tags. (31 Dec '12, 05:57) Kurt Knochner ♦ I have captured to file and I can see vlan tags!!. but when using "tcpdump -ni eth0 vlan" there is no screen output.. why? and what can be the problem in Windows OS? Thanks (31 Dec '12, 06:53) leonm12 no idea. Can you please post the capture file? (31 Dec '12, 07:03) Kurt Knochner ♦ (31 Dec '12, 08:15) leonm12 So, there are indeed VLAN tags. And now I run out of ideas, as you already did what is possible on Windows 7. Usually those two registry entries do work on Win7. One last question: Is there any software on your Win7 installation that interferes with the network (IDS, Endpoint Protection, VPN, and the like)? I have not heard yet that such software will interfere with VLAN tags, but you never know. Also, what I don't understand is why you don't see any packets on BackTrack with the capture filter vlan. That should show vlan tagged packets !??! (31 Dec '12, 08:33) Kurt Knochner ♦ I will try to load windows in safe mode with networking and check. I also trying now various drivers I will update (31 Dec '12, 08:41) leonm12 not possible do to. any more ideas? (31 Dec '12, 23:44) leonm12 You could try Microsoft Network Monitor. (01 Jan '13, 03:13) Kurt Knochner ♦ showing 5 of 13 show 8 more comments |
not possible do to. any more ideas?