Problem Capturing VLAN Tags With Wireshark
 

This has absolutely nothing to do with travel, except maybe in relation to frames traveling over a network, but I am desperate.

I have been attempting for days and days to capture VLAN tags using Wireshark. I have read everything I can find on this. None of it works.

The basic setup is a Cisco 2960 switch with this setup:

WS-C2960-24TT-L
12.2(44)SE6
C2960-LANBASE9-M

The computer is running Windows 7 Ultimate 64 bit. The Wireshark version is 1.6.5.

I have tried several different NICs. I am focusing on the Intel Pro/1000 GT as supposedly with a registry change it will show the VLAN tags. It does not.

Does anyone have a step by step set of instructions for doing this? I am tired of reading this and that and then trying to piece it all together on both the switch and the PC to make it work. I can see the traffic on VLAN 2 just fine using the gigabit trunk port. It just does not show the VLAN layer.

Have you seen this KB article?
http://www.intel.com/support/network/sb/CS-005897.htm

Otherwise it seems different adapter would be your next best choice unless you want to play all day with drivers. Google seems to suggest Realtek as having better support for passing VLAN tags. Maybe this machine has an integrated Realtek adapter already?

Yes, I tried that. I now have three NICs in the computer right now. Two from Intel and a Trendnet one that has the Realtek chipset that should work unmodified. One of the Intel NICs should work after following the instructions in the link you sent. But it does not.

I am wondering if the setup on the switch is the problem as I can see the frames from VLAN 2 by plugging into the trunk port in both Wireshark and Omnipeek. Omnipeek shows the FCS that Wireshark does not. Neither one shows the VLAN layer. Wild Packets says the same thing that Wireshark says about how to see this layer.

Perhaps since the internet seems to indicate that drivers are more often the problem, could you get a Linux bootable CD and run Wireshark from there? Don't know if that would accomplish what you need, but it would be an easy try I think.

So you're seeing un-tagged VLAN 2 traffic?

Are you sure that you're watching the correct port? It's very uncommon to have both tagged and untagged traffic on the same interface (With some switches it's impossible. With others it is possible, but it's never recommended)

I am giving that idea serious consideration. I really hate to do that since Linux just sucks.

Yes, I see the traffic from the only VLAN I have setup, VLAN 2. I have two devices in that VLAN. While pinging between the two I see the requests and replies. In these frames I see all the fields in all the headers, except for the added VLAN tags.

Feel's very weird posting about VLANs on FT, but here goes :D

the NATIVE VLAN on a given trunk is NOT tagged. if you are SURE that you are connected to a trunk port, but you are seeing the traffic you want to monitor in an untagged format, try chaninging the native vlan on the trunk to something other than 2. (this is assuming the trunk port format is 802.1q but IMO the NIC card won't support any other tagging format in any case)

i.e. it is possible that the reason you cannot see the vlan tags on this particular trunk are because there are none to see on vlan 2.

It is obviously also crucial to confirm that the switch port to which you are connected is actually functioning or operating in a 'trunk' mode and not just configured to do so.

Not actually functioning as a trunk port may be the problem as I only have one switch at present. I found an example on the web of someone with a very similar problem. Their solution used two switches, trunking between them. I am trying that next.

In general this is doable with one switch, but will need to be setup right - google it, my recollection is that you should focus on "ON Vs Desirable", looking at something called DTP within the Cisco.

Good luck

Thanks for all of the advice. In case anyone other than I cares about this sort of thing, I did get it to work. I am so pleased. :D

Good to hear! What ended up working for you?

The explanation is lengthy. Basically finding a NIC that would not strip the VLAN tags, using two switches trunked to each other instead of just one set to trunk mode with nothing on the other end, and the correct configuration for port spanning or monitoring on the switch. I have put the details on my website for the students to use in the future.