See the tech note from Intel mentioned in the Windows section below. The driver is stripping the tags before the pcap library sees them. If you are capturing on the host system where the VLANs are configured, you will probably not see the VLAN tags in the captured frames – even if you capture on the physical device. (A table enumerating the behaviors of various adapters, firmware versions, and drivers might be useful.
It depends on the NIC, the NIC firmware, the driver, and the alignment of the moon and planets. If you choose the former, you will only see frames destined for that VLAN if you choose the latter, you may see all frames or you may see only untagged frames (if there are any). For more info, see the vconfig(8) man page.Īfter your VLAN interfaces are set up and traffic is flowing, you can run Wireshark and capture on the VLAN interface of your choice (e.g., eth0.100 for VLAN 100) or on the underlying physical interface (e.g., eth0). Once installed, the vconfig command can be used to create VLAN interfaces on an existing physical device. To enable VLAN tagging, you need two things: the vlan rpm (e.g., vlan-1.8-23) and the 8021q kernel module. You'll definitely see the VLAN tags, regardless of what OS the independent system is running or what type of network adapter you're using. If the OS or the network adapter driver won't allow the VLAN tags to be captured, set up port mirroring (or "port spanning", as Cisco calls it) on the VLAN switch and connect an independent system, such as a laptop, to the mirror port, and don't configure the interface attached to that port as a member of a VLAN. Here are some details on capturing VLAN tags on various operating systems. On those OSes, in order to see the raw Ethernet packets, rather than "de-VLANized" packets, you would have to capture not on the virtual interface for the VLAN, but on the interface corresponding to the physical network device, if possible. The OS's networking stack would be connected to the VLAN interface, and that interface would appear to the networking stack to be an Ethernet interface with a smaller MTU than normal (to leave room for the VLAN tags).
When capturing on a VLAN, you won't necessarily see the VLAN tags in packets.įor example, in at least some operating systems, you might have more than one network interface device on which you can capture - a "raw interface" corresponding to the physical network adapter, and a "VLAN interface" the traffic on which has had the VLAN tags removed. Marvell Yukon 88E8055 PCI-E Gigabit Ethernet Controller.
0 kommentar(er)
