This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello,

I would like to see VLAN tags in Wireshark when using SPAN on switch. switch is configured properly to send output packets with their tags. OS is Windows t Pro x64, Laptop is Thinkpad X230.

when I am edit registry "MonitorMode=1"/"MonitorModeEnabled=1", I see that Wireshark not show tagged packet at all. untagged packets displayed properly without any issue.

if I remove "MonitorMode"/"MonitorModeEnabled", than all packets is displayed but without tagged information.

any idea what is the problem?

Thanks!

asked 27 Dec '12, 00:31

leonm12's gravatar image

leonm12
1111
accept rate: 0%

edited 27 Dec '12, 04:04

Jaap's gravatar image

Jaap ♦
11.7k16101

not possible do to. any more ideas?

(31 Dec '12, 23:44) leonm12

Somehow the network card / card driver manages to filter them out before they are send up the stack to where WinPcap can pick them up. I'm not familiar with the this combination so can't really tell what to set, other then use Google some more, or maybe this Intel page.

permanent link

answered 27 Dec '12, 00:53

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

what Intel says now work for this card and wireshark..

(27 Dec '12, 01:01) leonm12

if I remove "MonitorMode"/"MonitorModeEnabled", than all packets is displayed but without tagged information.

See my answer (and possible solutions therein) to the following question:

http://ask.wireshark.org/questions/15524/vlan-tagging-intel-82579lm-and-wireshark-183

If that does not help: Boot your PC with BackTrack Linux (no installation needed) and capture there with Wireshark and/or tcpdump (cli: tcpdump -ni eth0 vlan). If you don't see the tags on Linux, then most certainly your switch removes them.

Regards
Kurt

permanent link

answered 27 Dec '12, 01:25

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 27 Dec '12, 02:16

when you BT it still not capture vlan tags. when applying this tcpdump filter there is no packet captured.

I have tested the Cisco switch (connect it's SPAN to other network device) and I can see it replicate the vlan tag correctly.

what else can cause it? is it about build in NIC?

Thanks

(31 Dec '12, 01:27) leonm12

According to information from Intel, the driver for the card does not strip VLAN tags by default on Linux.

http://www.intel.com/support/network/sb/cs-005897.htm

Cite: To not strip VLAN tags: By default, the driver, in promiscuous mode, does not strip VLAN tags.

HOWEVER I'm not sure what driver they are referring to. Maybe that's a proprietary driver from Intel. On the other side, I don't believe that any open source linux ethernet driver will ever strip VLAN tags by default.

Conclusion: If you really see the VLAN tags of the same SPAN port on another system, but you don't see it on the mentioned Laptop (neither with Windows nor with Linux), there must be something wrong with the network card (other people report success, even on Windows 7).

BTW: Do you use that adapter in a docking station? I don't think that will change anything, just want to check...

(31 Dec '12, 01:41) Kurt Knochner ♦

I used the build in adapter, not docking station

(31 Dec '12, 01:48) leonm12

O.K. I have no real idea then.

Can you post the output of the following commands (while running BackTrack Linux).

  • dmesg | egrep -i '(intel|eth)'
  • lspci | grep -i intel
  • ifconfig eth0
  • eththool eth0

BTW: If you run BackTrack, do you seen anything, if you omit the vlan filter for tcpdump?

tcpdump -ni eth0

(31 Dec '12, 02:00) Kurt Knochner ♦

yes, I can see the packet that way. how can I upload the files here?

(31 Dec '12, 05:43) leonm12

how can I upload the files here?

you can't on this site. You can however upload it to google docs, your own web server, cloudshark.org or any one click file hoster. Beware of the privacy issues in doing so!!

Anyway, if you see the packets now I would really like to see those packets as I suspect there a no VLAN tags.

(31 Dec '12, 05:57) Kurt Knochner ♦

I have captured to file and I can see vlan tags!!. but when using "tcpdump -ni eth0 vlan" there is no screen output.. why? and what can be the problem in Windows OS?

Thanks

(31 Dec '12, 06:53) leonm12

no idea. Can you please post the capture file?

(31 Dec '12, 07:03) Kurt Knochner ♦

So, there are indeed VLAN tags. And now I run out of ideas, as you already did what is possible on Windows 7. Usually those two registry entries do work on Win7.

One last question: Is there any software on your Win7 installation that interferes with the network (IDS, Endpoint Protection, VPN, and the like)? I have not heard yet that such software will interfere with VLAN tags, but you never know.

Also, what I don't understand is why you don't see any packets on BackTrack with the capture filter vlan. That should show vlan tagged packets !??!

(31 Dec '12, 08:33) Kurt Knochner ♦

I will try to load windows in safe mode with networking and check. I also trying now various drivers

I will update

(31 Dec '12, 08:41) leonm12

not possible do to. any more ideas?

(31 Dec '12, 23:44) leonm12
(01 Jan '13, 03:13) Kurt Knochner ♦
showing 5 of 13 show 8 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×36
×16
×8
×3

question asked: 27 Dec '12, 00:31

question was seen: 14,689 times

last updated: 01 Jan '13, 03:13

p​o​w​e​r​e​d by O​S​Q​A