|
Symptom(s):
My sniffer is not seeing VLAN or QoS tagged frames.
Solution:
Microsoft* Windows* ---
To allow tagged frames to be passed to your packet capture software you must go into the registry and either add a registry dword and value or change the value of the registry key. Depending on the bus type of your network adapter you will either create the keyword "MonitorModeEnabled" for PCI/PCI-X Network Adapters, or "MonitorMode" for PCI-e based Network Adapters.
The new key (dword) should be placed at:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\00xx
where xx is the instance of the network adapter that you need to see tags on. (Check by opening and viewing the name of the adapter).
Note: ControlSet001 may need to be CurrentControlSet or another 00x number.
If you are using a PCI or PCI-X Network Adapter the registry dword is: MonitorModeEnabled
Set the dword value to either:
0 - disabled (Do not store bad packets, Do not store CRCs, Strip 802.1Q vlan tags)
1 - enabled (Store bad packets. Store CRCs. Do not strip 802.1Q vlan tags)
If you are using a PCI-Express Network Adapter the registry dword is: MonitorMode
Set the dword value to either:
0 - disabled (Do not store bad packets, Do not store CRCs, Strip 802.1Q vlan tags)
1 - enabled (Store bad packets. Store CRCs. Do not strip 802.1Q vlan btag)
2 - enabled strip vlan (Store bad packets. Store CRCs. Strip 802.1Q vlan tag as normal)
In most cases you should set MonitorMode=1 or MonitorModeEnabled=1.
Warning: This modification should be made very carefully and only by skilled technicians since changes to the registry may disable your machine. This change should only be made for promiscuous mode/sniffing use.
Linux* ---
To strip VLAN tags: Load the kernel supplied 802.1q module, which will automatically enable the Intel Networking hardware offload capabilites to offload vlans tag stripping and insertion. For information on loading the 802.1q module contact your distribution for support.
To not strip VLAN tags: By default the driver, in promiscuous mode, will not strip VLAN tags.
Your capture software is responsible for enabling promiscuous mode in your driver. If the driver is not in promiscuous mode the packets will be dropped or ignored due to the bad type/len field.
One source for VLAN/802.1q information under linux is: http://www.linuxhorizon.ro/vlans.html*
Operating System:
| Windows Vista*, Windows Server 2008*, Windows 98 SE*, Windows Home Server*, Windows 2000*, Windows Me*, Windows NT 4.0*, Linux*, Windows XP 64-Bit Edition*, Windows XP Professional*, Windows Server 2003* |
This applies to:
| 
