From: Daniel Fischer (Daniel.Fischer@gmx.net)
Date: Sun Mar 30 2008 - 09:37:18 ART
hello
my experience with ethereal/wireshark (on winXP) is, that the os strips the vlan tags per default. To all them to pass to the application (wireshark, in this case) we need to allow the tags to pass. This can be achieved by changing the relevant registry keys. They are different for each nic brand/model.
below a solution for broadcom and intel cards:
For Broadcom Cards:
First update driver to latest version.
There is a registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet that can be set to cause the driver
and chip not to strip the 802.1Q headers.
In order to set that key, you need to find the right instance of the driver in Registry Editor and set that key for it.
You can do this by doing following:
1. Run the Registry Editor (regedt32).
2. Search for "TxCoalescingTicks" under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet" and ensure this is
the only instance that you have.
PSN000642 ) 2005 Avaya Inc. All Rights Reserved. Page 2 of 3
3. Right-click on the instance number (eg. 0008) and add a new string value.
4. Enter "PreserveVlanInfoInRxPacket" and give it the value "1".
Save and Reboot
This should set you up to be able to sniff the VLAN tag information.
intel: http://support.intel.com/support/network/sb/CS-005897.htm
good luck
Daniel
-------- Original-Nachricht --------
> Datum: Fri, 28 Mar 2008 16:49:13 -0700
> Von: "Jian Gu" <guxiaojian@gmail.com>
> An: "Joseph Brunner" <joe@affirmedsystems.com>
> CC: "Sadiq Yakasai" <sadiqtanko@gmail.com>, "Cisco certification" <ccielab@groupstudy.com>
> Betreff: Re: VLAN Tag on Wirieshark capture
> This is not true, when you run Ethereal or Wireshark on a NIC, it turns
> the
> NIC to promiscuous mode, NIC card will not know whether the Ethernet
> frames
> it receives are tagged or not.
>
> The reason you don't see VLAN tags in capture software is because SPAN on
> Cisco switches only copies only Layer 2 Ethernet frames, SPAN does not
> copy
> source trunk port ISL or 802.1Q tags. You can configure destination ports
> as
> trunks to send locally tagged traffic to the traffic analyzer.
>
> On Fri, Mar 28, 2008 at 9:33 AM, Joseph Brunner <joe@affirmedsystems.com>
> wrote:
>
> > You need a nic card which doesn't strip them off... try the INTEL
> instead
> > of
> > the broadcom cards or search the hacki site to get the model.
> >
> > Joe
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Sadiq Yakasai
> > Sent: Friday, March 28, 2008 10:16 AM
> > To: Cisco certification
> > Subject: VLAN Tag on Wirieshark capture
> >
> > Hi Guys,
> >
> > Please how can I view the VLAN tags on a wireshark capture for dot1q
> > frames?
> >
> > I have done the capture, but the information I see when the capture
> > application decodes all the information but doesnt not include the
> > VLAN tags of the actual frames.
> >
> > I know there has to be a way to get this information, but just not
> > seeing it. I have done a few seaches online and cant lay a finger on
> > any useful information.
> >
> > Any help would be highly appreciated.
> >
> > Thanks!!
> >
> > Sadiq
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
-- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal f|r Modem und ISDN: http://www.gmx.net/de/go/smartsurfer
This archive was generated by hypermail 2.1.4 : Tue Apr 01 2008 - 07:53:54 ART