[wplug] VLAN header tags in tcpdump or similar

[Nathan Embery]

Hi,
    I lurk alot, but haven't really posted much. However, I've found an
interesting subject and can't really find any good answers on the
internets anywhere. So, hopefully you guys can help :-)

    Does anyone know of a good way to see the VLAN headers via tcpdump
or wireshark or similar? Apparently, I have a misbehaving network device
that is resetting the Vlan priority tag to 0 somewhere in the path. The
obvious troubleshooting step in to start sniffing at various places to
see what that tag looks like along the way. However, it seems that most
linux network drivers strip the VLAN information before passing the
packets up the stack.  Check out this note on the wireshark wiki:


        Linux
        To enable VLAN tagging, you need two things: the vlan rpm (e.g.,
        vlan-1.8-23) and the 8021q kernel module. Once installed, the
        vconfig command can be used to create VLAN interfaces on an
        existing physical device. For more info, see the vconfig(8) man
        page. 
        
        After your VLAN interfaces are set up and traffic is flowing,
        you can run Wireshark and capture on the VLAN interface of your
        choice (e.g., eth0.100 for VLAN 100) or on the underlying
        physical interface (e.g., eth0). If you choose the former, you
        will only see frames destined for that VLAN; if you choose the
        latter, you may see all frames or you may see only untagged
        frames (if there are any). It depends on the NIC, the NIC
        firmware, the driver, and the alignment of the moon and planets.
        (A table enumerating the behaviors of various adapters, firmware
        versions, and drivers might be useful. -Guy Harris) 
        
        If you are capturing on the host system where the VLANs are
        configured, you will probably not see the VLAN tags in the
        captured frames -- even if you capture on the physical device.
        The driver is stripping the tags before the pcap library sees
        them. See the tech note from Intel mentioned in the Windows
        section below. (Do Linux drivers support getting VLAN tags,
        perhaps with a driver configuration option or other option, in
        the same way that the Intel Windows driver does? -Guy Harris)
        (e100 driver works great on 2.4.26 - Jaap Keuter) 
        

Clearly, this isn't very helpful... Anybody encountered this before? I
have a wide range of equipment here to work with, so any solution at all
would be helpful (juniper, cisco, linux, bsd, solaris, etc...)

-Nate

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wplug.org/pipermail/wplug/attachments/20100428/8aee0766/attachment.html