Ask Your Question

Why am I seeing the same packet twice, once with a VLAN ID and once without a VLAN ID?

asked 2022-12-17 19:40:29 +0000

joao.amoe gravatar image

updated 2022-12-18 02:39:55 +0000

Guy Harris gravatar image

Could you help me understand this capture?

The capture was made on a Linux host, directly connected to the switch, receiving IKE packets from IPsec.

In the capture I see packets coming without marking and another with marking, with the same checksum and identification.

image description

Am I right?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2022-12-18 09:16:44 +0000

Jaap gravatar image

Your description of the whole setup is a bit ambiguous, therefore I'm going to assume the capture was made on the switch monitor port. In that case you see the VLAN tagged frames on the ingress port and the non-tagged frames on the egress port of the switch. This is the result of a) the egress port being configured to adding/dropping the VLAN tag, and b) your monitor port is configured to mirror all traffic going in and out of the switch.

edit flag offensive delete link more


Thank you for taking the time to answer my question, Jaap.

Unfortunately I didn't capture it on the switch. It was a capture on the ethernet port of the linux host, which in this case is my firewall. This host is virtualized, so it is a virtual network interface.

I was wondering about LACP binding issues that could give this kind of "weirdness" to my capture.

joao.amoe gravatar imagejoao.amoe ( 2022-12-19 00:01:56 +0000 )edit

I'm not seeing LACP having to to with VLAN tagging, it operates below that. Since the capture solution used is a bit non-standard I would (still) say it has something to do with that.

Jaap gravatar imageJaap ( 2022-12-19 08:28:47 +0000 )edit

I understand. thanks, gave me some clarity.

When it says "non-standard capture" is it the method I sent?

If there is something I can improve, can you guide me? I'm looking for the forum to give the least amount of effort to employees who donate their time to help.

joao.amoe gravatar imagejoao.amoe ( 2022-12-19 10:18:48 +0000 )edit

This would take a much deeper look into all details of your topology and the involved software components to make out why you're seeing this. Standard capture would be a bare metal Linux host (without VMs) where you capture the local traffic on a single Ethernet interface. You've got LACP, a firewall, VLANs and VMs pilled on top of that in some way, and then capture somewhere in there. That's what I call non-standard.

Jaap gravatar imageJaap ( 2022-12-19 12:11:17 +0000 )edit

You are right. Thanks for your time, I was very helpful.

joao.amoe gravatar imagejoao.amoe ( 2022-12-19 12:52:50 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2022-12-17 19:40:29 +0000

Seen: 273 times

Last updated: Dec 18 '22