This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

vlan filter

0

Hello guys. the scenario below was implemented in GNS3; 1)For all PCs; Firewall:off, NIC Mode: Generic Driver. 2)on PC3, wireshark has installed. 3)The L3-Switch is a Router 2691 with module NM-ESW16. Now my question is; why can't to capture traffic to PC3 from Vlan 5 or Vlan 10, while I set the wireshark to filter "vlan 5 and vlan 10"?? Thanks. alt text

asked 09 Jul '14, 06:14

M_Bazgir's gravatar image

M_Bazgir
16448
accept rate: 0%

edited 09 Jul '14, 06:15

Hi guys. My previous scenario couldn't capture the vlans traffic because of incorrect configuration on the L3-Switch . now I corrected it to the scenario below and I used "Kurt knochner" and "Quadraric" guidance, but I still can't capture only the traffic of vlan 5 and vlan 10 via "vlan 5 and vlan 10" or "vlan and (ether[14:2]&0xfff=5 or ether[14:2]&0xfff=10)" filters, but when capturing without any filter, I see all the traffic from those Vlans. and now, where's the mistake?? my configuration and the filter are incorrect?? or GNS3 couldn't emulate/simulate it?? Thanks. this is the new scenario: alt text

(10 Jul '14, 02:08) M_Bazgir

@M_Bazfir,

Arguably your last post should have been a new question (certainly not an answer) as the environment has changed enough to make the original answers a bit hard to follow, but on the other hand context is the same. We'll see how it goes.

(10 Jul '14, 02:35) grahamb ♦

3 Answers:

1

Please use this capture filter in Wireshark:

'vlan and (ether[14:2]&0xfff=5 or ether[14:2]&0xfff=10)'

Or use tcpdump/dumpcap:

tcpdump -ni eth0 'vlan and (ether[14:2]&0xfff=5 or ether[14:2]&0xfff=10)'
dumpcap -ni eth0 -f 'vlan and (ether[14:2]&0xfff=5 or ether[14:2]&0xfff=10)'

Regards
Kurt

answered 09 Jul '14, 07:28

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Dear Kurt Knochner I test your filter and then ping and telnet to PC3, but didn't see any change or result, now what's your opinion about this?? where's the mistake??

(09 Jul '14, 08:04) M_Bazgir

where's the mistake??

According to your screenshot PC3 is in VLAN15. How did you ensure that the port of PC3 sees traffic from VLAN5 and VLAN10 ( like port mirroring)?

If you did nothing to make that happen, it's absolutely clear why you can't see the other vlans, as the idea of a vlan is to separate traffic from each other ;-))

BTW: Are the switch ports for PC1 and PC2 trunk ports? If no, you won't see anything with a vlan capture filter, as there will be no vlan tags!

(09 Jul '14, 08:17) Kurt Knochner ♦

but when capturing without any filter, I see all the traffic from those Vlans. and now, where's the mistake??

  • Either the configuration of the trunk port is not O.K.
  • or the port mirroring config is not O.K.
  • or GNS3 removes vlan tags,
  • or there are not vlan tags
  • or the NIC driver of your Wireshark PC removes the vlan tags

Hard to tell, without the real switch config. Can you post the whole switch config somewhere and post a link here?

Furthermore: As already mentioned, if the device in the middle works as a L3 device (a router) and not as a L2 device (a switch), although you mentioned the switch module NM-ESW16 in your original question, then you will not see any VLAN tags!

(10 Jul '14, 02:29) Kurt Knochner ♦

Dear Kurt Knochner you were right. NIC of PCs in wireshark can not detect Vlan Tagging. but there's a problem; after I connect the LoopBack adapter to the fa 1/7 on L2-Switch2 instead of PC3, I can capture only the traffic of vlans via "vlan and (ether[14:2]&0xfff=5 or ether[14:2]&0xfff=10)" but these traffic didn't contain ICMP traffic.!!!!! what's your thinking??

(10 Jul '14, 06:35) M_Bazgir

but these traffic didn't contain ICMP traffic.!!!!!

ICMP traffic from where to where?

Did you see other traffic, like TCP and/or UDP?

Can you please post the capture file you have taken with the vlan filter on https://appliance.cloudshark.org/upload/ and post the link here?

(10 Jul '14, 06:39) Kurt Knochner ♦

ICMP from PC1&PC2 to PC4. This is the link, I uploaded Configurations too. http://cld.persiangig.com/download/zpIXNNmjgm/Config%26Cap.zip/dl Regards.

(10 Jul '14, 07:38) M_Bazgir

There are several problems with the router/switch configurations, as far as I can see. However I don't know the module NM-ESW16 good enough to give any good advice.

Let's start with one thing (L2-Switch left side):

  • You configured a trunk port on FastEthernet1/8, but you did not specify any VLAN on that port. So, I wonder why the whole setup works that way. Maye the NM-ESW16 automatically adds all VLANs to a trunk port if nothing is specified. I doubt that, but I don't know for sure, as I said: I don't know that module good enough.

Maybe you take the following config example and read some other docs about the cisco vlan configuration to fix your Cisco configuration

http://www.cisco.com/c/en/us/support/docs/interfaces-modules/network-modules/82156-ether-switch-nm-config.html

Furthermore, I have the feeling that your question shifts away from a Wireshark 'problem' (as there is none - the vlan filter I posted works, if the environment is set up properly) and moves towards several cisco/GNS3 configuration issues. As cisco/GNS3 questions are off-topic for this site, I suggest to ask further IOS/GNS3 configuration questions in the appropriate forums, as you will get much better answers there ;-) You are welcome to ask Wireshark related questions here, as soon as your setup works.

(10 Jul '14, 10:27) Kurt Knochner ♦

Thank you very much, the link was so useful, and I could capture ICMP traffic too, but the vlans filters problem didn't solve. ;-) maybe I must do ii in real environment. again and again Thanks for your guidance. :)

(11 Jul '14, 00:49) M_Bazgir
showing 5 of 8 show 3 more comments

0

answered 09 Jul '14, 06:21

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

0

As written, PC3 will see traffic from the other two subnets as sources toward it, but vlan information is not preserved across an L3 gateway and as tags they exist only on interfaces that act as layer 2 trunks for the vlan in question. The "vlan" filter is looking for tags specifically, but in your diagram you have three direct L3 links toward a router.

answered 09 Jul '14, 22:03

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%

edited 09 Jul '14, 22:05