Hello guys. the scenario below was implemented in GNS3; 1)For all PCs; Firewall:off, NIC Mode: Generic Driver. 2)on PC3, wireshark has installed. 3)The L3-Switch is a Router 2691 with module NM-ESW16. Now my question is; why can't to capture traffic to PC3 from Vlan 5 or Vlan 10, while I set the wireshark to filter "vlan 5 and vlan 10"?? Thanks. asked 09 Jul '14, 06:14  M_Bazgir edited 09 Jul '14, 06:15 |
3 Answers:
Please use this capture filter in Wireshark:
Or use tcpdump/dumpcap:
Regards answered 09 Jul '14, 07:28  Kurt Knochner ♦ Dear Kurt Knochner I test your filter and then ping and telnet to PC3, but didn't see any change or result, now what's your opinion about this?? where's the mistake?? (09 Jul '14, 08:04) M_Bazgir
According to your screenshot PC3 is in VLAN15. How did you ensure that the port of PC3 sees traffic from VLAN5 and VLAN10 ( like port mirroring)? If you did nothing to make that happen, it's absolutely clear why you can't see the other vlans, as the idea of a vlan is to separate traffic from each other ;-)) BTW: Are the switch ports for PC1 and PC2 trunk ports? If no, you won't see anything with a vlan capture filter, as there will be no vlan tags! (09 Jul '14, 08:17) Kurt Knochner ♦
Hard to tell, without the real switch config. Can you post the whole switch config somewhere and post a link here? Furthermore: As already mentioned, if the device in the middle works as a L3 device (a router) and not as a L2 device (a switch), although you mentioned the switch module NM-ESW16 in your original question, then you will not see any VLAN tags! (10 Jul '14, 02:29) Kurt Knochner ♦ Dear Kurt Knochner you were right. NIC of PCs in wireshark can not detect Vlan Tagging. but there's a problem; after I connect the LoopBack adapter to the fa 1/7 on L2-Switch2 instead of PC3, I can capture only the traffic of vlans via "vlan and (ether[14:2]&0xfff=5 or ether[14:2]&0xfff=10)" but these traffic didn't contain ICMP traffic.!!!!! what's your thinking?? (10 Jul '14, 06:35) M_Bazgir
ICMP traffic from where to where? Did you see other traffic, like TCP and/or UDP? Can you please post the capture file you have taken with the vlan filter on https://appliance.cloudshark.org/upload/ and post the link here? (10 Jul '14, 06:39) Kurt Knochner ♦ ICMP from PC1&PC2 to PC4. This is the link, I uploaded Configurations too. http://cld.persiangig.com/download/zpIXNNmjgm/Config%26Cap.zip/dl Regards. (10 Jul '14, 07:38) M_Bazgir There are several problems with the router/switch configurations, as far as I can see. However I don't know the module NM-ESW16 good enough to give any good advice. Let's start with one thing (L2-Switch left side):
Maybe you take the following config example and read some other docs about the cisco vlan configuration to fix your Cisco configuration Furthermore, I have the feeling that your question shifts away from a Wireshark 'problem' (as there is none - the vlan filter I posted works, if the environment is set up properly) and moves towards several cisco/GNS3 configuration issues. As cisco/GNS3 questions are off-topic for this site, I suggest to ask further IOS/GNS3 configuration questions in the appropriate forums, as you will get much better answers there ;-) You are welcome to ask Wireshark related questions here, as soon as your setup works. (10 Jul '14, 10:27) Kurt Knochner ♦ Thank you very much, the link was so useful, and I could capture ICMP traffic too, but the vlans filters problem didn't solve. ;-) maybe I must do ii in real environment. again and again Thanks for your guidance. :) (11 Jul '14, 00:49) M_Bazgir showing 5 of 8 show 3 more comments |
Maybe the answers in this question can shed some light: http://ask.wireshark.org/questions/31953/unusual-behavior-with-stacked-vlan-tags-and-capture-filter answered 09 Jul '14, 06:21  Jasper ♦♦ |
As written, PC3 will see traffic from the other two subnets as sources toward it, but vlan information is not preserved across an L3 gateway and as tags they exist only on interfaces that act as layer 2 trunks for the vlan in question. The "vlan" filter is looking for tags specifically, but in your diagram you have three direct L3 links toward a router. answered 09 Jul '14, 22:03  Quadratic edited 09 Jul '14, 22:05 |
Hi guys. My previous scenario couldn't capture the vlans traffic because of incorrect configuration on the L3-Switch . now I corrected it to the scenario below and I used "Kurt knochner" and "Quadraric" guidance, but I still can't capture only the traffic of vlan 5 and vlan 10 via "vlan 5 and vlan 10" or "vlan and (ether[14:2]&0xfff=5 or ether[14:2]&0xfff=10)" filters, but when capturing without any filter, I see all the traffic from those Vlans. and now, where's the mistake?? my configuration and the filter are incorrect?? or GNS3 couldn't emulate/simulate it?? Thanks. this is the new scenario:
@M_Bazfir,
Arguably your last post should have been a new question (certainly not an answer) as the environment has changed enough to make the original answers a bit hard to follow, but on the other hand context is the same. We'll see how it goes.