I normally only see the sections Frame, Ethernet (and for these messages) IEC 61850 Sampled Values. But I recently saw an article https://www.linkedin.com/pulse/iec-61... which shows a section "802.1Q Virtuial Lan ...." How do I show that section?
with Npcap version 0.9994
As indicated in Npcap issue #171, it appears that, in at least some circumstances, the Windows networking stack may strip out VLAN tags, and might put them in some metadata attached to the packet, so that Npcap could extract the VLAN tag from the metadata and insert it back in the raw packet data.
Unfortunately, Npcap currently doesn't do that, which means that, if that's what's happening, Wireshark never even sees the tag, and there's nothing it can do to get at the tag information, so the tags are permanently lost in a capture - Wireshark can't display those VLAN tags because it doesn't have them.
Thanks I am not an "IT guy" to that extent :( But it seems you are saying Wireshark can't show VLAN or Priority Tag So how did the Wireshark image in this LinkedIn post show VLAN and Priority? https://www.linkedin.com/pulse/iec-61...
But it seems you are saying Wireshark can't show VLAN or Priority Tag
Wireshark obviously can't show a VLAN ID and priority tag if there is no VLAN ID or priority tag to show.
So how did the Wireshark image in this LinkedIn post show VLAN and Priority?
It's a capture that does have a VLAN ID and priority tag, probably because it wasn't captured on Windows or any other platform that strips VLAN tags.
I know that there is a VLAN and Priority tag .. well, there SHOULD be because the sending device is configured to do that - but that is what I am trying to verify it does!. So to re-phrase my question: what do I have to do to make my Windows 10 PC show those tags in Wireshark? Or is it simply not possible because W10 inherently strips the tags? If my W10 can be configured so it doesn't strip the tags, is there anything extra to do in Wireshark to get Wireshark to display them?
So to re-phrase my question: what do I have to do to make my Windows 10 PC show those tags in Wireshark?
If, as is probably the case, this is Npcap issue #171, what you need to do is install a version of Npcap with a fix for that issue. Unfortunately, no such version exists, and it's probably not a trivial bug to fix.
Or is it simply not possible because W10 inherently strips the tags?
Either the Windows 10 network stack or the adapter driver might be stripping the tags. There might be a configuration flag for the network stack or the driver to get it not to strip the tags.
If my W10 can be configured so it doesn't strip the tags, is there anything extra to do in Wireshark to get Wireshark to display them?
No.
Understood :) It is a PC / W10 issue, not Wireshark. Thank you for persevering with the explanation.
Asked: 2020-07-21 00:29:12 +0000
Seen: 23,963 times
Last updated: Jul 21 '20
Are you on a VLAN? The capture in that article was done on a VLAN, which is why there's a VLAN tag; if your captures aren't on a VLAN, there won't be a VLAN tag.
Yes it is an IEC 61850 based substation network which has IEDs sending messages on specific VLANs and I need to see if the VLAN tag has been retained all the way through to the final port
What's the full text from the "Running on" portion of the "About" dialog in Wireshark? (I have a strong suspicion about what's happening - it's not something in Wireshark, it's something in the underlying capture mechanism Wireshark uses, and that depends on the OS and OS version on which you're running and the version of libpcap/WinPcap/Npcap.)
Are you sure the "final port", where you are presumably capturing, is a VLAN trunk port so that VLAN tags will be present?
Yes - I am absolutely sure all switch ports are TRUNK ports. I have been debugging IEC 61850 LANs for 15 years or so and hence I know how to configure the LAN switches. I also know that problems are either the port VLAN or the VLAN configuration at the publisher IED or the subscriber VLAN setting The question is that even as a TRUNK port, is it allowing the right VLANs through?
What I need though is to find out how Wireshark can be set to display the VLAN.
I am not sure why it is relevant, but I even downloaded a new version of Wireshark and checked an old PCAP file The version is Version 3.2.5 (v3.2.5-0-ged20ddea8138)