This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture cisco trunk interfaces

0
1

Hi all,

I really need help with this one. I have to capture traffic betwwen trunked cisco ports (dot1Q). I have a switch in the middle with monitor session command to mirror the physical interface. monitor session 2 source interface GiX/XX monitor session 2 destination interface GY/YY monitor session 2 filter packet-type good rx

If I ping a machine on the remote lan i only get the requests but not the replays (But the echo ping is responded)

If I ping the remote interface from the local interface no echo request and reply is recorded (but it also pings)

the cisco commands are:

Anyone knows why? Wireshark handles dot1Q? Thanks

asked 01 Mar '11, 03:12

zeca_neca's gravatar image

zeca_neca
1122
accept rate: 0%


One Answer:

0

If you want to capture vlan tagged frames, you need to make sure that:

  1. The NIC in the capturing device does not strip the vlan tags (see: http://wiki.wireshark.org/CaptureSetup/VLAN
  2. The mirrored traffic has vlag tags. This is dependent on the switch brand and model

You are using a cisco switch with IOS. However, you haven't said what model. Different models need different configuration of the monitor session en span port. If you are using a 2950/3560/3750, you need to use "monitor session X destination interface GiX/XX encapsulation dot1q" to make the switch copy the vlan tags to the output port. On a 65XX switch you need to configure the destination port to also be a trunk port and make sure the vlan you are interested in are in the allowed list.

And yes, wireshark handles 802.1Q vlan tagged frames :-)

answered 01 Mar '11, 04:12

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

IT's a WS-C4503-E thanks

(01 Mar '11, 04:15) zeca_neca

I changed to a older PC and it worked.... thanks a lot

for me it's a closed matter

(01 Mar '11, 07:56) zeca_neca

(converted your answer to a comment to adhere to the nature of this Q&A site, please see the FAQ)

If your question has been answered, please "accept" the answer by clicking on the checkmark below the thumps-down. That way, the question will not be listed under the "unanswered" category anymore.

(01 Mar '11, 14:05) SYN-bit ♦♦

If running the same version of Wireshark on an older PC made a difference, the reason is probably that the network adapter, or driver, on the newer PC either can't handle capturing raw VLAN tagged frames (or frames on a different VLAN) or doesn't do so by default, and the adapter or driver on the older PC handles them by default. See the CaptureSetup/VLAN page on the Wireshark Wiki for more information on this.

(01 Mar '11, 14:29) Guy Harris ♦♦