802.1q frame with tag

Archived from groups: comp.dcom.lans.ethernet (More info?)

Is it possible to see frame with tag using sniffer?

Thanks in advance,

LL
7 answers Last reply
More about frame
  1. Archived from groups: comp.dcom.lans.ethernet (More info?)

    In article <dc998cfd.0411280538.6ce55f0d@posting.google.com>,
    wld <aaabbb16@hotmail.com> wrote:
    :Is it possible to see frame with tag using sniffer?

    Yes.
  2. Archived from groups: comp.dcom.lans.ethernet (More info?)

    roberson@ibd.nrc-cnrc.gc.ca (Walter Roberson) wrote in message news:<cod4t6$k2j$1@canopus.cc.umanitoba.ca>...
    > In article <dc998cfd.0411280538.6ce55f0d@posting.google.com>,
    > wld <aaabbb16@hotmail.com> wrote:
    > :Is it possible to see frame with tag using sniffer?
    >
    > Yes.


    you mean that sniffing it form a port which mirrored to vlan trunking?
  3. Archived from groups: comp.dcom.lans.ethernet (More info?)

    In article <dc998cfd.0411281613.251057f6@posting.google.com>,
    wld <aaabbb16@hotmail.com> wrote:
    |roberson@ibd.nrc-cnrc.gc.ca (Walter Roberson) wrote in message news:<cod4t6$k2j$1@canopus.cc.umanitoba.ca>...
    |> In article <dc998cfd.0411280538.6ce55f0d@posting.google.com>,
    |> wld <aaabbb16@hotmail.com> wrote:
    |> :Is it possible to see frame with tag using sniffer?

    |> Yes.

    |you mean that sniffing it form a port which mirrored to vlan trunking?

    Different manufacturers have different names for the same
    facility. Some call it 'mirroring', some call it 'spanning',
    some call it SPAN or RSPAN. The result is the same in each case:
    to take a copy of some subset of the normal traffic on a switch
    and deliver the copy to another port.

    Whether VLAN tags get stripped or not upon the copy can depend
    upon the device and upon the software release and upon the setup.
    -Generally- speaking, traffic out an untagged port will
    usually show up untagged on the mirroring port, and traffic out
    a tagged port will usually show up tagged on the mirroring
    port, unless the primary vlan ID of the port happens to match the
    VLAN ID of the packet, in which case 802.1Q says the tag should
    be stripped.


    In any case, in your original question, you did not specify
    any conditions upon how the sniffing had to be done: you just
    asked whether it was *possible* to see frames with the tags intact.
    Your question was underspecified, so we are free to interpret the
    question to include technologies such as ethernet taps. We can also
    interpret the question to allow for reception only of some less
    common frames, such as broadcasts, multicasts, and flooded frames.
    Furthermore there are NICs and systems now that are capable of
    directly receiving tagged frames, so your question covers the
    possibility of sniffing such frames by software running on the
    802.1Q complaint computer system.
  4. Archived from groups: comp.dcom.lans.ethernet (More info?)

    roberson@ibd.nrc-cnrc.gc.ca (Walter Roberson) wrote in message news:<coe1u3$rj3$1@canopus.cc.umanitoba.ca>...
    > In article <dc998cfd.0411281613.251057f6@posting.google.com>,
    > wld <aaabbb16@hotmail.com> wrote:
    > |roberson@ibd.nrc-cnrc.gc.ca (Walter Roberson) wrote in message news:<cod4t6$k2j$1@canopus.cc.umanitoba.ca>...
    > |> In article <dc998cfd.0411280538.6ce55f0d@posting.google.com>,
    > |> wld <aaabbb16@hotmail.com> wrote:
    > |> :Is it possible to see frame with tag using sniffer?
    >
    > |> Yes.
    >
    > |you mean that sniffing it form a port which mirrored to vlan trunking?
    >
    > Different manufacturers have different names for the same
    > facility. Some call it 'mirroring', some call it 'spanning',
    > some call it SPAN or RSPAN. The result is the same in each case:
    > to take a copy of some subset of the normal traffic on a switch
    > and deliver the copy to another port.
    >
    > Whether VLAN tags get stripped or not upon the copy can depend
    > upon the device and upon the software release and upon the setup.
    > -Generally- speaking, traffic out an untagged port will
    > usually show up untagged on the mirroring port, and traffic out
    > a tagged port will usually show up tagged on the mirroring
    > port, unless the primary vlan ID of the port happens to match the
    > VLAN ID of the packet, in which case 802.1Q says the tag should
    > be stripped.
    >
    >
    > In any case, in your original question, you did not specify
    > any conditions upon how the sniffing had to be done: you just
    > asked whether it was *possible* to see frames with the tags intact.
    > Your question was underspecified, so we are free to interpret the
    > question to include technologies such as ethernet taps. We can also
    > interpret the question to allow for reception only of some less
    > common frames, such as broadcasts, multicasts, and flooded frames.
    > Furthermore there are NICs and systems now that are capable of
    > directly receiving tagged frames, so your question covers the
    > possibility of sniffing such frames by software running on the
    > 802.1Q complaint computer system.

    Thanks,

    here is my configuration: two switchs connect each other using vlan
    trunking (802.1q) I config. a port (analyzor port I say port2) to see
    a vlan trunking port (i say port50)traffic. also config three vlan for
    both switch
    (vlan1,vlan2 and vlan3) and do a ping from/to pc1 which connect
    switch1 (vlan2) to/from pc2 which connect switch2 (vlan2). I use pc3
    which installed
    etherpeek and sniffer. I can see port50 in/out traffic. I can not see
    tag infomation. should after SA. (DA-SA-TAG-TYPE/LEN-DATE-FCS)
    Is it limitation for etherpeak and sniffer? (can not decode tag?)
    or any other reasons?

    Thanks,

    LL
  5. Archived from groups: comp.dcom.lans.ethernet (More info?)

    In article <dc998cfd.0411291917.9ea8653@posting.google.com>, aaabbb16
    @hotmail.com says...
    > here is my configuration: two switchs connect each other using vlan
    > trunking (802.1q) I config. a port (analyzor port I say port2) to see
    > a vlan trunking port (i say port50)traffic. also config three vlan for
    > both switch
    > (vlan1,vlan2 and vlan3) and do a ping from/to pc1 which connect
    > switch1 (vlan2) to/from pc2 which connect switch2 (vlan2). I use pc3
    > which installed
    > etherpeek and sniffer. I can see port50 in/out traffic. I can not see
    > tag infomation. should after SA. (DA-SA-TAG-TYPE/LEN-DATE-FCS)
    > Is it limitation for etherpeak and sniffer? (can not decode tag?)
    > or any other reasons?

    First thing's first. Are you filtering your capture? And if so, is is
    vlan 2 the native vlan? If you're using Cisco gear, it will not tag the
    native vlan unless you tell it to tag it.


    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
  6. Archived from groups: comp.dcom.lans.ethernet (More info?)

    In article <dc998cfd.0411291917.9ea8653@posting.google.com>,
    wld <aaabbb16@hotmail.com> wrote:

    :here is my configuration: two switchs

    What kind of switches? What software version?

    :connect each other using vlan
    :trunking (802.1q) I config. a port (analyzor port I say port2) to see
    :a vlan trunking port (i say port50)traffic.

    How do you configure it? Some switches offer multiple mirroring
    configurations. On some of them, to see the tags, you have
    to configure the mirroring port as a tagged port (with the
    appropriate vlans) before you turn on mirroring.

    :also config three vlan for
    :both switch
    :(vlan1,vlan2 and vlan3) and do a ping from/to pc1 which connect
    :switch1 (vlan2) to/from pc2 which connect switch2 (vlan2).

    What is the Primary Vlan ID (PVID) or 'native vlan' of the trunk
    ports?


    :I use pc3
    :which installed
    :etherpeek and sniffer. I can see port50 in/out traffic. I can not see
    :tag infomation.

    Can you see all the trunk port traffic, or can you see only
    part of it?
    --
    I was very young in those days, but I was also rather dim.
    -- Christopher Priest
  7. Archived from groups: comp.dcom.lans.ethernet (More info?)

    roberson@ibd.nrc-cnrc.gc.ca (Walter Roberson) wrote in message news:<coh3si$i83$1@canopus.cc.umanitoba.ca>...
    > In article <dc998cfd.0411291917.9ea8653@posting.google.com>,
    > wld <aaabbb16@hotmail.com> wrote:
    >
    > :here is my configuration: two switchs
    >
    > What kind of switches? What software version?
    >
    > :connect each other using vlan
    > :trunking (802.1q) I config. a port (analyzor port I say port2) to see
    > :a vlan trunking port (i say port50)traffic.
    >
    > How do you configure it? Some switches offer multiple mirroring
    > configurations. On some of them, to see the tags, you have
    > to configure the mirroring port as a tagged port (with the
    > appropriate vlans) before you turn on mirroring.
    >
    > :also config three vlan for
    > :both switch
    > :(vlan1,vlan2 and vlan3) and do a ping from/to pc1 which connect
    > :switch1 (vlan2) to/from pc2 which connect switch2 (vlan2).
    >
    > What is the Primary Vlan ID (PVID) or 'native vlan' of the trunk
    > ports?
    >
    >
    > :I use pc3
    > :which installed
    > :etherpeek and sniffer. I can see port50 in/out traffic. I can not see
    > :tag infomation.
    >
    > Can you see all the trunk port traffic, or can you see only
    > part of it?


    Let me double check it and get back to you ASAP. Thanks, LL
Ask a new question

Read More

Ethernet Card Networking