cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9663
Views
5
Helpful
11
Replies

Do packet show VLAN tags in Wireshark when captured from a mirrored port (SPAN)

mcollins1983
Level 1
Level 1

Hi.

I have a trunked switchport (source) which is mirrored to an access switchport (destination). When I capture the traffic using Wireshark, I do not see any VLAN tags (vlan.id). Is this expected, as the destination port is an access port? Should I switch my destination port to be a trunked switchport from an access switchport?

Thanks.

1 Accepted Solution

Accepted Solutions

Francesco Molino
VIP Alumni
VIP Alumni
Hi

Which model of switches are you using?
On recent switches you don't have anymore the following command but on all others you have to add encapsulation dot1q on your destination like:
monitor session 1 destination interface g1/0/48 encapsulation dot1q

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

11 Replies 11

Francesco Molino
VIP Alumni
VIP Alumni
Hi

Which model of switches are you using?
On recent switches you don't have anymore the following command but on all others you have to add encapsulation dot1q on your destination like:
monitor session 1 destination interface g1/0/48 encapsulation dot1q

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi.

Thanks for the reply. I'm not sure of the model as I'm not in front of it
right now but it might be a 2960.

Sounds like you might be right.

What would happen if the encapsulation dot1q wasn't used? I could still see
the expected traffic, it just didn't show with a vlan.id in Wireshark.

Thanks.


Hi Francesco,
You are correct. adding the encapsulation dot1q command worked.
Thanks.

You're welcome

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

Are you using a windows laptop connected to the SPAN port?

If I remember correctly the widows network stack by default will drop tagged frames, so your capture will miss a lot of traffic.

 

There is a REG key you can change to not drop tagged frames, or just use tcpdump on a linux laptop and export the PCap back to your windows laptop.

 

Cheers,

Seb.

No, I am actually using a Mac.

ah. I've never had to try and use a mac, but this page suggests you may need to configure the corresponding VLAN sub-interfaces on you capture interface for each VLAN:

 

https://wiki.wireshark.org/CaptureSetup/VLAN

Hi.

I have tested using a trunk port and I can capture traffic from multiple VLANs with the vlan.id showing correctly. So I'm confident that it's not the computer.

Thanks.

Not sure I followed correctly. Have you tried the monitor command with encapsulation at the end?
Your last post says you see vlan id?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Sorry I was replying to Seb when he suggested that I might need to tag the VLANs on my Mac. I do not need to take any VLANs on my Mac (running Mojave).
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco