Solved: Do packet show VLAN tags in Wireshark when captured from a mirrored port (SPAN)

mcollins1983 · ‎12-11-2018

Hi.

I have a trunked switchport (source) which is mirrored to an access switchport (destination). When I capture the traffic using Wireshark, I do not see any VLAN tags (vlan.id). Is this expected, as the destination port is an access port? Should I switch my destination port to be a trunked switchport from an access switchport?

Thanks.

Francesco Molino · ‎12-11-2018

Hi

Which model of switches are you using?
On recent switches you don't have anymore the following command but on all others you have to add encapsulation dot1q on your destination like:
monitor session 1 destination interface g1/0/48 encapsulation dot1q

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎12-11-2018

Hi

Which model of switches are you using?
On recent switches you don't have anymore the following command but on all others you have to add encapsulation dot1q on your destination like:
monitor session 1 destination interface g1/0/48 encapsulation dot1q

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

mcollins1983 · ‎12-11-2018

Hi.

Thanks for the reply. I'm not sure of the model as I'm not in front of it
right now but it might be a 2960.

Sounds like you might be right.

What would happen if the encapsulation dot1q wasn't used? I could still see
the expected traffic, it just didn't show with a vlan.id in Wireshark.

Thanks.

mcollins1983 · ‎12-12-2018

Hi Francesco,
You are correct. adding the encapsulation dot1q command worked.
Thanks.

Francesco Molino · ‎12-12-2018

You're welcome

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Seb Rupik · ‎12-12-2018

Hi there,

Are you using a windows laptop connected to the SPAN port?

If I remember correctly the widows network stack by default will drop tagged frames, so your capture will miss a lot of traffic.

There is a REG key you can change to not drop tagged frames, or just use tcpdump on a linux laptop and export the PCap back to your windows laptop.

Cheers,

Seb.

Seb Rupik · ‎12-12-2018

Here you go:
https://www.intel.com/content/www/us/en/support/articles/000005498/network-and-i-o/ethernet-products.html

mcollins1983 · ‎12-12-2018

No, I am actually using a Mac.

Seb Rupik · ‎12-12-2018

ah. I've never had to try and use a mac, but this page suggests you may need to configure the corresponding VLAN sub-interfaces on you capture interface for each VLAN:

https://wiki.wireshark.org/CaptureSetup/VLAN

mcollins1983 · ‎12-12-2018

Hi.

I have tested using a trunk port and I can capture traffic from multiple VLANs with the vlan.id showing correctly. So I'm confident that it's not the computer.

Thanks.

Francesco Molino · ‎12-12-2018

Not sure I followed correctly. Have you tried the monitor command with encapsulation at the end?
Your last post says you see vlan id?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

mcollins1983 · ‎12-12-2018

Sorry I was replying to Seb when he suggested that I might need to tag the VLANs on my Mac. I do not need to take any VLANs on my Mac (running Mojave).