|
Symptom(s):
My sniffer is not seeing VLAN or QoS tagged frames.
Solution:
| Note |
After changing the adapter's registry setting in Windows you MUST restart Windows before the new registry setting will work. | |
For Microsoft Windows*
Allow tagged frames to be passed to your packet capture software by going into the registry and either add a registry dword and value or change the value of the registry key. The registry change required is determined by the driver in use:
|
Adapter Driver |
Registry Key |
| e1g, e1e, e1y |
MonitorModeEnabled |
| e1c, e1d, e1k, e1q, e1r, ixe, ixn, ixt |
MonitorMode | |
| Note |
If you don't know how to determine which driver your adapter uses, check the following link for help:
How do I identify my wired Ethernet adapter and driver version? |
|
Drivers that are included in Microsoft Windows are provided by Microsoft and might not include support for promiscuos mode. This registry entry is only supported on Intel drivers. | |
The new key (dword) should be placed at:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\00nn
Where nn is the physical instance of the network port where you want to capture the VLAN tags.
| Note |
ControlSet001 may need to be Current Control Set or another 00x number. | |
Warning: Changes to the registry can disable your system and should only be made by skilled technicians. This change should only be made for promiscuous mode/sniffing use.
When creating or modifying registry dword: MonitorModeEnabled.
Set the dword value to one of the following options:
- 0 - disabled (Do not store bad packets, Do not store CRCs, Strip 802.1Q vlan tags)
- 1 - enabled (Store bad packets. Store CRCs. Do not strip 802.1Q vlan tags)
When creating or modifying registry dword: MonitorMode.
Set the dword value to one of the following options:
- 0 - disabled (Do not store bad packets, Do not store CRCs, Strip 802.1Q vlan tags)
- 1 - enabled (Receive bad/runt/invalid CRC packets. Leave CRCs attached to the packets. Do not strip VLAN tags and ignore packets sent to other VLANs as per normal operation.)
You MUST restart Windows for the registry change to take effect.
For Linux*
To strip VLAN tags: Load the kernel supplied 802.1q module. This automatically enables the Intel Networking hardware offload capabilities to offload VLAN tag stripping and insertion. For information on loading the 802.1q module, contact your distribution for support.
To not strip VLAN tags: By default, the driver, in promiscuous mode, does not strip VLAN tags.
Your capture software is responsible for enabling promiscuous mode in your driver. If the driver is not in promiscuous mode, the packets are dropped or ignored because of the bad type/len field.
This applies to:
| 
