vlan tag capturing

onita · ‎11-02-2007

I've been trying to capture the vlan tags on a trunk link using the wireshark and port mirroring with no success. Any ideas on what I'm doing wrong or what I'm missing .

lgijssel · ‎11-02-2007

You should be looking for packets with ethertype 8100. Check the link for a wiki on this:

http://en.wikipedia.org/wiki/IEEE_802.1Q#Frame_format

Setting the monitor port to trunk mode is an experiment that's certainly worth trying. However, even if you are doing everything correctly, your PC adapter may not recognize the packets and ignore them.

regards,

Leo

lrian · ‎11-02-2007

The monitor port has to be configured as a trunk port and the NIC has to support vlan tags.

I've got a Dell laptop with an integrated Broadcom ethernet NIC that doesn't let me capture vlan tags. I ended up getting a Trendnet 10/100/1000 PC card to use w/ wireshark so that I could see the vlan tags.

onita · ‎11-05-2007

I do have the monitor port as trunk. Since I'm running linux I'm gone try tcpdump instead of wireshark.

onita · ‎11-05-2007

Ok, I've got it working. Had to install module 8021q on linux and update my monitor session to

monitor session 2 destination interface Gi1/0/3 encapsulation dot1q