Ask Your Question
0

How can I get Wireshark to show me the packed VLAN and Priority tag?

asked 2020-07-21 00:29:12 +0000

Rod Hughes gravatar image

I normally only see the sections Frame, Ethernet (and for these messages) IEC 61850 Sampled Values. But I recently saw an article https://www.linkedin.com/pulse/iec-61... which shows a section "802.1Q Virtuial Lan ...." How do I show that section?

edit retag flag offensive close merge delete

Comments

Are you on a VLAN? The capture in that article was done on a VLAN, which is why there's a VLAN tag; if your captures aren't on a VLAN, there won't be a VLAN tag.

Guy Harris gravatar imageGuy Harris ( 2020-07-21 00:38:15 +0000 )edit

Yes it is an IEC 61850 based substation network which has IEDs sending messages on specific VLANs and I need to see if the VLAN tag has been retained all the way through to the final port

Rod Hughes gravatar imageRod Hughes ( 2020-07-21 01:14:44 +0000 )edit

What's the full text from the "Running on" portion of the "About" dialog in Wireshark? (I have a strong suspicion about what's happening - it's not something in Wireshark, it's something in the underlying capture mechanism Wireshark uses, and that depends on the OS and OS version on which you're running and the version of libpcap/WinPcap/Npcap.)

Guy Harris gravatar imageGuy Harris ( 2020-07-21 01:39:45 +0000 )edit

I need to see if the VLAN tag has been retained all the way through to the final port

Are you sure the "final port", where you are presumably capturing, is a VLAN trunk port so that VLAN tags will be present?

grahamb gravatar imagegrahamb ( 2020-07-21 07:35:13 +0000 )edit

Yes - I am absolutely sure all switch ports are TRUNK ports. I have been debugging IEC 61850 LANs for 15 years or so and hence I know how to configure the LAN switches. I also know that problems are either the port VLAN or the VLAN configuration at the publisher IED or the subscriber VLAN setting The question is that even as a TRUNK port, is it allowing the right VLANs through?

What I need though is to find out how Wireshark can be set to display the VLAN.

I am not sure why it is relevant, but I even downloaded a new version of Wireshark and checked an old PCAP file The version is Version 3.2.5 (v3.2.5-0-ged20ddea8138)

Rod Hughes gravatar imageRod Hughes ( 2020-07-21 07:45:44 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-07-21 08:18:25 +0000

Guy Harris gravatar image

with Npcap version 0.9994

As indicated in Npcap issue #171, it appears that, in at least some circumstances, the Windows networking stack may strip out VLAN tags, and might put them in some metadata attached to the packet, so that Npcap could extract the VLAN tag from the metadata and insert it back in the raw packet data.

Unfortunately, Npcap currently doesn't do that, which means that, if that's what's happening, Wireshark never even sees the tag, and there's nothing it can do to get at the tag information, so the tags are permanently lost in a capture - Wireshark can't display those VLAN tags because it doesn't have them.

edit flag offensive delete link more

Comments

Thanks I am not an "IT guy" to that extent :( But it seems you are saying Wireshark can't show VLAN or Priority Tag So how did the Wireshark image in this LinkedIn post show VLAN and Priority? https://www.linkedin.com/pulse/iec-61...

Rod Hughes gravatar imageRod Hughes ( 2020-07-21 09:34:55 +0000 )edit

But it seems you are saying Wireshark can't show VLAN or Priority Tag

Wireshark obviously can't show a VLAN ID and priority tag if there is no VLAN ID or priority tag to show.

So how did the Wireshark image in this LinkedIn post show VLAN and Priority?

It's a capture that does have a VLAN ID and priority tag, probably because it wasn't captured on Windows or any other platform that strips VLAN tags.

Guy Harris gravatar imageGuy Harris ( 2020-07-21 12:16:39 +0000 )edit

I know that there is a VLAN and Priority tag .. well, there SHOULD be because the sending device is configured to do that - but that is what I am trying to verify it does!. So to re-phrase my question: what do I have to do to make my Windows 10 PC show those tags in Wireshark? Or is it simply not possible because W10 inherently strips the tags? If my W10 can be configured so it doesn't strip the tags, is there anything extra to do in Wireshark to get Wireshark to display them?

Rod Hughes gravatar imageRod Hughes ( 2020-07-21 12:59:40 +0000 )edit

So to re-phrase my question: what do I have to do to make my Windows 10 PC show those tags in Wireshark?

If, as is probably the case, this is Npcap issue #171, what you need to do is install a version of Npcap with a fix for that issue. Unfortunately, no such version exists, and it's probably not a trivial bug to fix.

Or is it simply not possible because W10 inherently strips the tags?

Either the Windows 10 network stack or the adapter driver might be stripping the tags. There might be a configuration flag for the network stack or the driver to get it not to strip the tags.

If my W10 can be configured so it doesn't strip the tags, is there anything extra to do in Wireshark to get Wireshark to display them?

No.

Guy Harris gravatar imageGuy Harris ( 2020-07-21 18:36:03 +0000 )edit

Understood :) It is a PC / W10 issue, not Wireshark. Thank you for persevering with the explanation.

Rod Hughes gravatar imageRod Hughes ( 2020-07-21 23:33:01 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-07-21 00:29:12 +0000

Seen: 24,344 times

Last updated: Jul 21 '20