This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to capture VLAN tags on the trunk/tagged port with the Wireshark. ls it possible?

0

Hi All,

As the title says: How to capture VLAN tags on the trunk/tagged port with the Wireshark. is it possible? Let's say I do have a switchport configured listening on the "tags" 10,20,30 (trunk port really). Haker connects with PC to this port. Running Wireshark. What info will hacker able to see?

Thank you, Mykhaylo

asked 11 Apr '17, 03:37

Myky's gravatar image

Myky
16225
accept rate: 0%

edited 11 Apr '17, 03:38


One Answer:

0

If the packets leaving the switch on that port have the 802.1Q tag (which they should, as you said it's a trunk port) then yes, you can see them. But since at the port resides no real traffic destination, only few packets will be sent using that port. Mostly it'll be broadcast and multicast traffic, but if you worry about VLAN tags: yes, the "hacker" can see them (assuming a compatible NIC is used for the capture).

answered 11 Apr '17, 03:44

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 11 Apr '17, 13:38

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

Hello Jasper,

Appreciate your response. So idea is to understand if I do have switch port configured for Access Point where management VLAN is also tagged by AP (apart from the different SSID VLANS). So lets say SSID1=10, SSID2=20 and MGMT VLAN=30. Switchport configured as a trunk to accept 10, 20 and 30 VLAN tags. So hacker removes the AP and plugs in his PC, fire up wireshark and all VLAN tags are visible. Is that correct?

Thank you, Mykhaylo

(11 Apr '17, 04:00) Myky
1

yes, that's correct, but not really "hacking" - it's a physical security issue :-)

(11 Apr '17, 04:02) Jasper ♦♦

Yep l do agree :0 thanks!

(11 Apr '17, 04:07) Myky