Hello I am running Wireshark v1.12.10 on a Windows 7 Samsung computer, with a Marvell Yukon 88E8040 Fast Ethernet card. I have modified the registry so that *PriorityVLANTag is set to 0, and the SkDisableVlanStrip is set to 1. When I run a capture I am using the ip.addr filter, the relation is "is present" I am doing the capture on a Netgear FS726TP switch, which uses VLANs, using port mirroring. But when I do the capture, I am not getting any network traffic, except for DHCP broadcasts and NBNS Name queries. What is it I must do to get the real traffic running on the port. I know that the port is being used for access to the Internet and other traffic. Thanks asked 07 Apr '16, 03:25  skeating showing 5 of 8 show 3 more comments |
2 Answers:
Are you sure your interface on the Windows machine is in promiscuous mode? Are you sure you port is mirroring traffic? What is on the VLAN? what should it be seeing? answered 09 Apr '16, 18:37  msmorten I have found the solution to part of the problem. Netgear, for some reason, will not allow port mirroring to any port. I was trying to mirror port 16 onto port 1, but no luck. But if I mirrored port 16 onto port 20, then I would get the traffic on port 16. What I cannot get is the VLAN traffic. I see the IPs of the VLAN, but there are no VLAN packets in captured packets. Any ideas why I cannot see the VLAN packets? (11 Apr '16, 05:37) skeating For instance, with Cisco, to get the VLAN tag to be included in the reassembly of the packet on the destination port it has to be written in as part of the command on the destination port "encapsulation dot1q replicate" and this adds the tag back to the packet from buffer on the destination port. But this is only because most good Cisco switches operate on layer 3. The Netgear switch you're using is a true layer 2 device. So if you don't have a router that is handling the segmentation and routing of the virtual network, then you don't have true vlan or separate networks. What are you using as your CSU or router? What are your captures showing you? I am not sure if the netgear is capable of mirroring the vlan tag , passing it to the destination port. If so, then the destination port would have IP coming from two networks. I wouldn't normally ask questions like this in a Cisco environment but when it comes to this netgear, you never know. What is the gateway to your two networks ? Can you ping them? Can you verify that you have two networks? (11 Apr '16, 07:09) msmorten Also, from you router to the port that connects to the switch, you have to make sure you're trunking the vlan(s) you want to see on this switch. If the port that connecting the router to the switch isn't truncking and is only an access port, then the switch will only have traffic for the vlan that it has access too. (11 Apr '16, 10:38) msmorten
This sounds a bit confusing to me. If you can see "the IPs", it means to me that you can see the frames from/to those IPs, but without knowledge of the overall architecture of the network, it is hard to say anything. But let's suppose that a frame sent by a device which is only connected to the VLAN of interest to some device in the internet only passes through your switch once and it is visible in the capture. In this case, the question is whether VLANs and their monitoring do not work the way you expect on the switch (as @msmorten suggests) or whether the Marvell driver ignores the To find out which one is true, I'd suggest to make an ordinary (not monitoring) port a member of the VLAN of interest and configure it as a "trunk" one (using Cisco terminology) or (using the terminology of most other switch vendors) so that this VLAN's frames would be sent out tagged, connect your PC to that port and run the capture with the Just for the case, I assume you look for the VLAN ID into the dissection pane of a single frame, not just to the packet list which does not show the VLAN IDs by default - you would have to manually add a column to the packet list to see it there (which is easiest to do by right-clicking the field in the dissection pane and choosing (12 Apr '16, 01:55) sindy Is there a specific capture filter in Wireshark I should be using along with registry changes for the Marvell. I have read this: https://wiki.wireshark.org/CaptureSetup/VLAN#Capture_filters but do not understand the section on Capture Filters. Do I need to create one, or is there one already in the collection of filters in Wireshark? (12 Apr '16, 04:22) skeating
These two things are independent. A capture filter restricts the capture to packets which match the expression, and no expression at all means everything is captured. But the capture filter does not modify the packets in any way, so it is unable to remove the 802.1Q headers even if used. So if
are all true, then the driver ignores the (12 Apr '16, 06:36) sindy showing 5 of 6 show 1 more comments |
Hi, you can try Npcap: https://github.com/nmap/npcap/releases. It's a update to original WinPcap (which is the capturing driver for Windows) and supports VLAN tag for capturing and sending. Make sure you checked the "Support 802.1Q VLAN tag when capturing and sending data" option in the installer. answered 11 Apr '16, 17:46  Yang Luo edited 11 Apr '16, 17:47 The Npcap only works on WIFI, right? I need to connect with a cable. Is there something that does the same update for WinPcap using Ethernet? (12 Apr '16, 04:13) skeating npcap works on wired Ethernet as well as WiFi. (12 Apr '16, 04:29) grahamb ♦ |
What happens it you don't apply the ip.addr filter?
I still get the same results.
Can you see the VLAN headers on those packets you do capture (DHCP broadcasts etc.)?
Because you claim a VLAN issue but to me it seems like a normal behaviour if you've connected your capturing machine to an ordinary port of a switch and there is no traffic for the capturing machine itself.
And as you wrote that the port is used for access to internet, do you mean you have replaced the original counterpart of that switch port with the capturing PC and you expect to see the attempts of other PCs to access internet servers?
I'm not sure what you mean about the port. I was using port mirroring, in which I am plugged into port #1, which is mirroring port #16, which is the live port. So I have not replaced any PCs, just attempting to capture the traffic going to them.
Sorry, I've missed the part about port mirroring in your question, and have only noticed
The point is that getting just DHCP and NBNS name queries is a typical case when you are connected to an ordinary (i.e. not mirroring) port, while the setting on your network card's driver regarding VLAN header stripping would normally affect only whether the VLAN headers make it to the level inside the network stack where the frames are actually captured. So if tagged frames are coming, you normally can see them even if you don't use that "don't strip" setting, except that the 802.1 Q headers are removed before the frame is captured.
So I can imagine three possibilities:
the mirroring doesn't work as expected on the switch,
the driver settings regarding VLANs cause something to go wrong,
some security/firewall software interferes with your WinPcap operation.
Can you capture your own traffic in both directions if connected to an ordinary port and default VLAN-related settings are used on the network card driver? If yes, is it still true after you activate the "don't strip" settings? If not, can you disable all firewall/anti-virus/even VPN software for the time of taking the capture (see other similar questions "I can see only XXX traffic" on this site for details)?
I found the problem. I was mirroring from port 16 to port 1, and getting no where. Then I remembered that if I needed to setup a trunk, I had to do so to another port near 16. So I mirrored to port 20, and I got all the packets I needed. Netgear, go figure.
Well, in the case of Cisco, for the destination Port to maintain the DOT 1Q portion of the encapsulation when the packet is reassembled the command "Encapsulation DOT 1Q replicate" has to be added as part of the destination configuration. But this is because most good Cisco switches can work on a layer 3 level. .if you don't have a router in place, a Layer 3 device that can route the other network and add the dot1Q tag, then you don't truly have a VLAN / segmentation / 2 separate networks. The netgear is a true layer 2 device. Do you have a router if so what model? What is the ip of the first and second network? What does your capture show?