Ask Your Question
0

How to capture VLAN tagged packets

asked 2019-03-06 21:59:36 +0000

HiZ gravatar image

updated 2019-05-01 09:29:00 +0000

grahamb gravatar image

Hi,

I want to capture packets with VLAN tags (from a Cisco switchport in trunk mode), but not having any success on my Windows 10 machine. I've followed the Intel guide to enable the passing of the tags but still no luck. When I connect to the same port and run Wireshark on an OSX 2009 Macbook Pro, it works fine.

https://www.intel.co.uk/content/www/u...

Have tried both an Intel Pro 1000 MT and 82579LM NIC. Each requiring the different registry value, due to their driver type.

Any help appreciated.

Cheers

Version 3.0.0 (v3.0.0-0-g937e33de)

Copyright 1998-2019 Gerald Combs <[email protected]> and contributors. License GPLv2+: GNU GPL version 2 or later <http: www.gnu.org="" licenses="" old-licenses="" gpl-2.0.html=""> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 

Compiled (64-bit) with Qt 5.12.1, with WinPcap SDK (WpdPack) 4.1.2, with GLib 2.52.2, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9.9, with QtMultimedia, with AirPcap, with SBC, with SpanDSP, with bcg729. 

Running on 64-bit Windows 10 (1809), build 17763, with Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz (with SSE4.2), with 20368 MB of physical memory, with locale English_United Kingdom.1252, with Npcap version 0.99-r9, based on libpcap version 1.8.1, with GnuTLS 3.6.3, with Gcrypt 1.8.3, without AirPcap, binary plugins supported (14 loaded). Built using Microsoft Visual Studio 2017 (VC++ 14.12, build 25835). 
edit retag flag offensive close merge delete

Comments

On which interface are you capturing ? Virtual interfaces or the main one ? Are you receiving all traffic but untagged or only traffic from native VLAN ? If Wireshark is after the interfaces, then the NIC would strip out any dot1q tag and Wireshark only receive untagged packets .

clement-CCIE gravatar imageclement-CCIE ( 2019-05-01 03:10:30 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-05-01 06:21:19 +0000

Jaap gravatar image

This part of the release note of Npcap 0.992 is ambiguous at best:

Remove installer interface option "Support 802.1Q VLAN tag when capturing and sending data," which was unsupported for three years. Support may be restored in future releases, but the option has not had any effect in earlier installers.

You could contact the Npcap developers to find out what the status of VLAN tag capture actually is.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

Stats

Asked: 2019-03-06 21:59:36 +0000

Seen: 11,089 times

Last updated: May 01 '19