[wplug] VLAN header tags in tcpdump or similar

[Eli Heady]

Hi Nathan,

Disappearing VLAN tags are vexing. I must be very lucky, or the moon
and planets must be aligned in my favor, because I have not had the
problems Guy Harris describes. Have you tried capturing traffic to see
if your listening device shows you vlan tags?

The wiki article you've quoted suggests configuring vlans on your
listening interface and then starting wireshark on those vlan tagged
interfaces. In my experience, that is not necessary. If running
wireshark on your raw (un-vlan'd) interface shows vlan traffic, you
can then filter traffic from arbitrary vlans with this filter: vlan.id
== 2 (this would show you only those packets tagged with vlan id 2,
adjust as needed). Keep in mind of course, you won't see vlan tags if
the switch is stripping them from the port you're connected to.

I'm doing this now on a single machine with vlans on a tap interface,
but I believe this will be the case in normal scenarios also. I do
have 8021q loaded, and am using wireshark 1.2.7. I suspect this will
work fine on modern, Linux supported NICs, with or without 8021q
loaded, but I can't test at the moment. My advice is try it and see,
you may be pleasantly surprised. If it doesn't work for you,  details
of your test NIC and problem switch would help with troubleshooting.

hope that helps,
Eli


On Wed, Apr 28, 2010 at 10:38 AM, Nathan Embery <nembery at met-net.com> wrote:
> Hi,
>     I lurk alot, but haven't really posted much. However, I've found an
> interesting subject and can't really find any good answers on the internets
> anywhere. So, hopefully you guys can help :-)
>
>     Does anyone know of a good way to see the VLAN headers via tcpdump or
> wireshark or similar? Apparently, I have a misbehaving network device that
> is resetting the Vlan priority tag to 0 somewhere in the path. The obvious
> troubleshooting step in to start sniffing at various places to see what that
> tag looks like along the way. However, it seems that most linux network
> drivers strip the VLAN information before passing the packets up the stack.
> Check out this note on the wireshark wiki:
>
> Linux
> To enable VLAN tagging, you need two things: the vlan rpm (e.g.,
> vlan-1.8-23) and the 8021q kernel module. Once installed, the vconfig
> command can be used to create VLAN interfaces on an existing physical
> device. For more info, see the vconfig(8) man page.
>
> After your VLAN interfaces are set up and traffic is flowing, you can run
> Wireshark and capture on the VLAN interface of your choice (e.g., eth0.100
> for VLAN 100) or on the underlying physical interface (e.g., eth0). If you
> choose the former, you will only see frames destined for that VLAN; if you
> choose the latter, you may see all frames or you may see only untagged
> frames (if there are any). It depends on the NIC, the NIC firmware, the
> driver, and the alignment of the moon and planets. (A table enumerating the
> behaviors of various adapters, firmware versions, and drivers might be
> useful. -Guy Harris)
>
> If you are capturing on the host system where the VLANs are configured, you
> will probably not see the VLAN tags in the captured frames -- even if you
> capture on the physical device. The driver is stripping the tags before the
> pcap library sees them. See the tech note from Intel mentioned in the
> Windows section below. (Do Linux drivers support getting VLAN tags, perhaps
> with a driver configuration option or other option, in the same way that the
> Intel Windows driver does? -Guy Harris) (e100 driver works great on 2.4.26 -
> Jaap Keuter)
>
> Clearly, this isn't very helpful... Anybody encountered this before? I have
> a wide range of equipment here to work with, so any solution at all would be
> helpful (juniper, cisco, linux, bsd, solaris, etc...)
>
> -Nate
>
>
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug
>
>