12-11-2018 10:05 PM - edited 03-08-2019 04:47 PM
Hi.
I have a trunked switchport (source) which is mirrored to an access switchport (destination). When I capture the traffic using Wireshark, I do not see any VLAN tags (vlan.id). Is this expected, as the destination port is an access port? Should I switch my destination port to be a trunked switchport from an access switchport?
Thanks.
Solved! Go to Solution.
12-11-2018 10:29 PM
12-11-2018 10:29 PM
12-11-2018 11:10 PM
12-12-2018 08:45 PM
12-12-2018 08:56 PM
12-12-2018 12:29 AM - edited 12-12-2018 12:30 AM
Hi there,
Are you using a windows laptop connected to the SPAN port?
If I remember correctly the widows network stack by default will drop tagged frames, so your capture will miss a lot of traffic.
There is a REG key you can change to not drop tagged frames, or just use tcpdump on a linux laptop and export the PCap back to your windows laptop.
Cheers,
Seb.
12-12-2018 03:09 AM
12-12-2018 03:45 AM
12-12-2018 03:52 AM
ah. I've never had to try and use a mac, but this page suggests you may need to configure the corresponding VLAN sub-interfaces on you capture interface for each VLAN:
12-12-2018 02:33 PM
Hi.
I have tested using a trunk port and I can capture traffic from multiple VLANs with the vlan.id showing correctly. So I'm confident that it's not the computer.
Thanks.
12-12-2018 03:19 PM
12-12-2018 08:44 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: