This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Vlan capture setup for Intel network card on Windows

0

Hi All,

Currently I'm having issue to configure my network card to capture the VLAN tags. I have read through Wireshark VLAN capture setup page (http://wiki.wireshark.org/CaptureSetup/VLAN) but none of it is related...

My network card information: Device Description: Intel(R) 82577LM Gigabit Network Connection Driver Date: 9/29/2010 Driver Version 11.8.75.0

Could anyone please advise?

Regards, Lipitor

asked 27 Jan '11, 23:44

lipitor's gravatar image

lipitor
1111
accept rate: 0%

edited 12 Nov '13, 16:36

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

Maybe it's not your card... are you sure that the incoming packets are VLAN tagged? Do you capture on a monitor/SPAN port, or do you have a hub running inline of the VLAN trunk? Remember that on spanning trunks you might have to tell your switch not to remove VLAN tags on the monitor port. On Cisco there is something like an "encapsulation dot1q" parameter when defining the monitor session (I'm not sure about the syntax, I rarely have to do this on my own).

(28 Jan '11, 04:58) Jasper ♦♦

Hi Jasper,

No issue on the network infrastructure setup as my colleague using other network card manufacturer (broadcom) having no issue to capture the packet with vlan tag.

Regards, Lipitor

(01 Feb '11, 04:40) lipitor

One Answer:

2

Your NIC strips VLAN headers by default. To enable them follow this procedure:- 1. Run Regedit (back up registry first) 2. Browse to the registry branch:-

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet0001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}

Note: you may need to also look under "CurrentControlSet" rather than "CurrentControlSet0001".

  1. There will be some folders beneath that such as "0000", "0001" etc
  2. Open each one and look to see if the Intel 82577LM is set against the "DriverDESC" entry.
  3. Right click in the appropriate folder and add "New DWORD Value" called "MonitorMode".
  4. Right click this DWORD & select "Modify" and set it's value to 1.
  5. Reboot the PC.

Then, if you are capturing on a span port on a Cisco device, set the span session up like this:-

monitor session x source interface fa0/y
monitor session x destination interface fa0/z encapsulation dot1q

answered 28 Jan '11, 08:01

KeithFrench's gravatar image

KeithFrench
121115
accept rate: 0%

edited 12 Nov '13, 16:37

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

Hi Keith,

Many thanks for your reply, but I found the "Driver Desc" entry with Intel 82577LM under both "CurrentControlSet" and "CurrentControlSet0001", so does that mean I need to add the new DWORD Value as mentioned above to both "CurrentControlSet" and "CurrentControlSet0001"?

Regards, Lipitor

(01 Feb '11, 04:32) lipitor

No I don't think so. I'd try it under CurrentControlSet first & reboot. If that does not work, remove it & try it under CurrentControlSet0001 & reboot. You only need to add it once, but it can be tricky to find out where.

(01 Feb '11, 11:24) KeithFrench

I'll double check where mine is on my Lenovo laptop in the morning.

(01 Feb '11, 14:15) KeithFrench

HI Keith,

My laptop is Lenovo X210, running on Windows 7.

Regards, Lipitor

(01 Feb '11, 17:30) lipitor

Hi Lipitor,

On my Lenovo T410 it appears under:-

System\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}

However there is also the DriverDESC under "ControlSet" as well.

Add the DWORD under ControlSet001 and it seems to add it under ControlSet as well.

(02 Feb '11, 04:10) KeithFrench

Hi Keith,

Thanks again for your assistants. I will try again this new modification on the regedit when I back to office if it's works.

Regards, Lipitor

(06 Feb '11, 15:26) lipitor

Hi Keith,

I tried but it doesn't works...

Regards, Lipitor

(07 Feb '11, 01:11) lipitor

Hi Keith,

Btw, just to confirm, for the MonitorMode, the "Base" is Hexadecimal instead of Decimal right?

Regards, Lipitor

(07 Feb '11, 01:13) lipitor

Hi Keith,

Are you using Windows 7 (32-bit) as well?

Regards, Lipitor

(07 Feb '11, 02:13) lipitor

Hi Keith,

And which version of Wireshark are you using currently? 1.4.3 or 1.2.14?

Regards, Lipitor

(07 Feb '11, 02:17) lipitor

The version of Wireshark is really not an issue here, it is the behaviour of the network card and the configuration of the span session that is in question. I have used not only the 32bit version of Wirehark (I think all versions have worked up to & including the new development version of 1.5.0. However, currently I am using V1.4.3. I have also used "Sniffer Basic", "Netasyst" & "Observer" to capture the VLAN headers.

The value of the DWORD value MonitorMode is in hex, there are also some similar Intel cards that require the DWORD to be MonitorModeEnabled with the same value, but as you have the exact same version as mine, I doubt if that is the case. Have you rebooted your PC for these registry changes to take effect?

Did you also notice my comment about this Q&A seems to strip out backslash characters in the information I originally typed?

Is your span session created correctly as per my origanl post? Could you paste the output of the command "Show monitor session x", where x is the session number used?

(07 Feb '11, 08:02) KeithFrench

Hi Keith,

Sorry with the late reply, I agree with you that the issue here now is on either the network card configuration or the the span session configuration.

But as mentioned earlier that my colleague with different network card manufacture (broadcom) has no issue on capturing the vlan tag packet, so I assume the span session configuration is not the case in this scenario.

And I also assume that you have the same configuration of the machine, such as the Windows OS, Wireshark, Network card type and version. Which I'm not sure what else to try on.

Regards, Lipitor

(09 Feb '11, 18:40) lipitor

You could try the MonitorModeEnabled DWORD instead, but I didn't need it on mine.

My OS is XP Pro, I won't be able to check my card for a week or so, but what version of drivers are you using?

(10 Feb '11, 11:20) KeithFrench

I assume that you have tried another PC connected to the destination port of the span that does capture the VLAN header?

(11 Feb '11, 11:13) KeithFrench

Hi Keith,

Sorry I was away for a week. my network card details: Driver Date: 9/29/2010 Driver Version: 11.8.75.0

Regards, Lipitor

(20 Feb '11, 19:45) lipitor

Yup, I did try with another 2 laptops (both using different manufactured network card, one running on Windows XP, and another one running on Windows 7) and able to capture the VLAN header.

(20 Feb '11, 19:48) lipitor

I'll check my driver version tomorrow.

Just an outside chance, is your Lenovo a normal Windows 7 build? The reason I ask is that some companies lock everything down for security rewasons. Although you can make registry changes, they only actually take effect if the laptop is connected to their corporae network when the changes are made.

(21 Feb '11, 11:14) KeithFrench

Hi Keith,

The OS installed in the laptop is Windows 7 Professional. Hmm.. that's mean I need to remove the changes made in the registry, go back to the office and apply the changes again. So that's like a one time thing?

Regards, Lipitor

(21 Feb '11, 19:13) lipitor

Yes that might be worth doing, if the laptop was supplied by your company. I would expect that once you have got it working, you shouldn't need to alter the registry again, as you say a one time operation.

Mine NIC is driver Date 19/11/2009, Version 11.5.5.0, which is obviously older than yours. Something I noticed though, go into the NIC card configuration. In the Advanced tab there is an option called "Priority & VLAN" - make sure that this is set to "Priority & VLAN Enabled". I assume that this option only becomes available after the registry edit. Maybe your later version introduces this on the registry setting, but leaves it disabled?

(22 Feb '11, 11:17) KeithFrench

Hi Keith,

I'll try to get back to office to reconfigure the registry.

For the "Priority & Vlan Enabled" part, once I upgraded my NIC driver, then it'll have that feature without making any changes on the registry. And earlier I have enabled that feature before reporting this issue.

Regards, Lipitor

(25 Feb '11, 01:25) lipitor

OSQA, the software that runs ask.wireshark.com, uses Markdown syntax; in that syntax, backslashes are escape characters, so if you want a backslash in the text, you have to put in a double backslash.

Note also that answers can be edited; as this is a Q&A site rather than a forum, the right way to fix an answer is to edit it, not post follow-up answers (maybe post a comment noting that you've updated the answer). I've propagated some updates to your original answer (and deleted the additional answers from which the updates came).

(04 Nov '12, 12:03) Guy Harris ♦♦

hello,

I have same problem with Windows 7 I don't understand where I must do :

monitor session x source interface

fa0/y monitor session x destination

interface fa0/z encapsulation dot1q

I try to execute this lines with MS-DOS but it doesn't work

(12 Nov '13, 02:21) wireshark_user

I don't understand where I must do

You must do those commands on the Cisco device into whose SPAN port you've plugged your machine.

Or, if you're NOT capturing on a Cisco device's SPAN port, you must ignore those commands, as they don't apply to what you're doing. The original answer failed to note that those commands are Cisco-specific; I've fixed it to do so.

(12 Nov '13, 16:39) Guy Harris ♦♦

I thank you. Methods describe before don't operate with TG-3468 (TP-LINK). Manufacturer tell me to install third class driver but I d'ont know where can I find it

(13 Nov '13, 00:45) wireshark_user
showing 5 of 24 show 19 more comments