|
Symptom(s):
My sniffer is not seeing VLAN or QoS tagged frames.
Solution:
| Note |
After changing the adapter's registry setting in Windows you MUST restart the adapter before the new setting will work.
Restart your adapter:
Use Windows* Device Manger to disable and then enable the adapter
or
Restart Windows* | |
For Microsoft Windows*
Allow tagged frames to be passed to your packet capture software by going into the registry and either add a registry dword and value or change the value of the registry key. The bus type of your network adapter you dictate the keyword used, either "MonitorModeEnabled" for PCI/PCI-X Network Adapters, or "MonitorMode" for PCI-e based Network Adapters.
The new key (dword) should be placed at:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\00nn
Where nn is the instance of the network adapter that you need to see tags on. (Check by opening and viewing the name of the adapter.)
| Note |
ControlSet001 may need to be CurrentControlSet or another 00x number. | |
Warning: Changes to the registry can disable your system and should only be made by skilled technicians. This change should only be made for promiscuous mode/sniffing use.
The registry dword for a PCI or PCI-X Network Adapter is: MonitorModeEnabled.
Set the dword value to one of the following options:
- 0 - disabled (Do not store bad packets, Do not store CRCs, Strip 802.1Q vlan tags)
- 1 - enabled (Store bad packets. Store CRCs. Do not strip 802.1Q vlan tags)
The registry dword for a PCI-Express Network Adapter the registry dword is: MonitorMode.
Set the dword value to one of the following options:
- 0 - disabled (Do not store bad packets, Do not store CRCs, Strip 802.1Q vlan tags)
- 1 - enabled (Receive bad/runt/invalid CRC packets. Leave CRCs attached to the packets. Strip VLAN tags and ignore packets sent to other VLANs as per normal operation.)
- 2 - enabled strip vlan (Receive bad/runt/invalid CRC packets. Leave CRCs attached to the packets. Pass all VLAN packets to the host, even those sent to other VLANs. Leave VLAN tags attached to the packets. This mode is likely to break VLAN)
For Linux*
To strip VLAN tags: Load the kernel supplied 802.1q module. This automatically enables the Intel Networking hardware offload capabilities to offload VLAN tag stripping and insertion. For information on loading the 802.1q module, contact your distribution for support.
To not strip VLAN tags: By default, the driver, in promiscuous mode, does not strip VLAN tags.
Your capture software is responsible for enabling promiscuous mode in your driver. If the driver is not in promiscuous mode, the packets are dropped or ignored because of the bad type/len field.
One source for VLAN/802.1q information under Linux is: http://www.linuxhorizon.ro/vlans.html.
This applies to:
| 
