Sign in with
Sign up | Sign in
Your question

802.1q frame with tag

Last response: in Networking
Share
Anonymous
November 28, 2004 8:38:44 AM

Archived from groups: comp.dcom.lans.ethernet (More info?)

Is it possible to see frame with tag using sniffer?

Thanks in advance,

LL

More about : 802 frame tag

Anonymous
November 28, 2004 9:20:22 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

In article <dc998cfd.0411280538.6ce55f0d@posting.google.com>,
wld <aaabbb16@hotmail.com> wrote:
:Is it possible to see frame with tag using sniffer?

Yes.
Anonymous
November 28, 2004 9:20:23 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

roberson@ibd.nrc-cnrc.gc.ca (Walter Roberson) wrote in message news:<cod4t6$k2j$1@canopus.cc.umanitoba.ca>...
> In article <dc998cfd.0411280538.6ce55f0d@posting.google.com>,
> wld <aaabbb16@hotmail.com> wrote:
> :Is it possible to see frame with tag using sniffer?
>
> Yes.


you mean that sniffing it form a port which mirrored to vlan trunking?
Anonymous
November 29, 2004 5:35:47 AM

Archived from groups: comp.dcom.lans.ethernet (More info?)

In article <dc998cfd.0411281613.251057f6@posting.google.com>,
wld <aaabbb16@hotmail.com> wrote:
|roberson@ibd.nrc-cnrc.gc.ca (Walter Roberson) wrote in message news:<cod4t6$k2j$1@canopus.cc.umanitoba.ca>...
|> In article <dc998cfd.0411280538.6ce55f0d@posting.google.com>,
|> wld <aaabbb16@hotmail.com> wrote:
|> :Is it possible to see frame with tag using sniffer?

|> Yes.

|you mean that sniffing it form a port which mirrored to vlan trunking?

Different manufacturers have different names for the same
facility. Some call it 'mirroring', some call it 'spanning',
some call it SPAN or RSPAN. The result is the same in each case:
to take a copy of some subset of the normal traffic on a switch
and deliver the copy to another port.

Whether VLAN tags get stripped or not upon the copy can depend
upon the device and upon the software release and upon the setup.
-Generally- speaking, traffic out an untagged port will
usually show up untagged on the mirroring port, and traffic out
a tagged port will usually show up tagged on the mirroring
port, unless the primary vlan ID of the port happens to match the
VLAN ID of the packet, in which case 802.1Q says the tag should
be stripped.


In any case, in your original question, you did not specify
any conditions upon how the sniffing had to be done: you just
asked whether it was *possible* to see frames with the tags intact.
Your question was underspecified, so we are free to interpret the
question to include technologies such as ethernet taps. We can also
interpret the question to allow for reception only of some less
common frames, such as broadcasts, multicasts, and flooded frames.
Furthermore there are NICs and systems now that are capable of
directly receiving tagged frames, so your question covers the
possibility of sniffing such frames by software running on the
802.1Q complaint computer system.
Anonymous
November 29, 2004 10:17:13 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

roberson@ibd.nrc-cnrc.gc.ca (Walter Roberson) wrote in message news:<coe1u3$rj3$1@canopus.cc.umanitoba.ca>...
> In article <dc998cfd.0411281613.251057f6@posting.google.com>,
> wld <aaabbb16@hotmail.com> wrote:
> |roberson@ibd.nrc-cnrc.gc.ca (Walter Roberson) wrote in message news:<cod4t6$k2j$1@canopus.cc.umanitoba.ca>...
> |> In article <dc998cfd.0411280538.6ce55f0d@posting.google.com>,
> |> wld <aaabbb16@hotmail.com> wrote:
> |> :Is it possible to see frame with tag using sniffer?
>
> |> Yes.
>
> |you mean that sniffing it form a port which mirrored to vlan trunking?
>
> Different manufacturers have different names for the same
> facility. Some call it 'mirroring', some call it 'spanning',
> some call it SPAN or RSPAN. The result is the same in each case:
> to take a copy of some subset of the normal traffic on a switch
> and deliver the copy to another port.
>
> Whether VLAN tags get stripped or not upon the copy can depend
> upon the device and upon the software release and upon the setup.
> -Generally- speaking, traffic out an untagged port will
> usually show up untagged on the mirroring port, and traffic out
> a tagged port will usually show up tagged on the mirroring
> port, unless the primary vlan ID of the port happens to match the
> VLAN ID of the packet, in which case 802.1Q says the tag should
> be stripped.
>
>
> In any case, in your original question, you did not specify
> any conditions upon how the sniffing had to be done: you just
> asked whether it was *possible* to see frames with the tags intact.
> Your question was underspecified, so we are free to interpret the
> question to include technologies such as ethernet taps. We can also
> interpret the question to allow for reception only of some less
> common frames, such as broadcasts, multicasts, and flooded frames.
> Furthermore there are NICs and systems now that are capable of
> directly receiving tagged frames, so your question covers the
> possibility of sniffing such frames by software running on the
> 802.1Q complaint computer system.

Thanks,

here is my configuration: two switchs connect each other using vlan
trunking (802.1q) I config. a port (analyzor port I say port2) to see
a vlan trunking port (i say port50)traffic. also config three vlan for
both switch
(vlan1,vlan2 and vlan3) and do a ping from/to pc1 which connect
switch1 (vlan2) to/from pc2 which connect switch2 (vlan2). I use pc3
which installed
etherpeek and sniffer. I can see port50 in/out traffic. I can not see
tag infomation. should after SA. (DA-SA-TAG-TYPE/LEN-DATE-FCS)
Is it limitation for etherpeak and sniffer? (can not decode tag?)
or any other reasons?

Thanks,

LL
Anonymous
November 30, 2004 7:39:17 AM

Archived from groups: comp.dcom.lans.ethernet (More info?)

In article <dc998cfd.0411291917.9ea8653@posting.google.com>, aaabbb16
@hotmail.com says...
> here is my configuration: two switchs connect each other using vlan
> trunking (802.1q) I config. a port (analyzor port I say port2) to see
> a vlan trunking port (i say port50)traffic. also config three vlan for
> both switch
> (vlan1,vlan2 and vlan3) and do a ping from/to pc1 which connect
> switch1 (vlan2) to/from pc2 which connect switch2 (vlan2). I use pc3
> which installed
> etherpeek and sniffer. I can see port50 in/out traffic. I can not see
> tag infomation. should after SA. (DA-SA-TAG-TYPE/LEN-DATE-FCS)
> Is it limitation for etherpeak and sniffer? (can not decode tag?)
> or any other reasons?

First thing's first. Are you filtering your capture? And if so, is is
vlan 2 the native vlan? If you're using Cisco gear, it will not tag the
native vlan unless you tell it to tag it.


--

hsb

"Somehow I imagined this experience would be more rewarding" Calvin
*************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
********************************************************************
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
********************************************************************
Anonymous
November 30, 2004 9:27:30 AM

Archived from groups: comp.dcom.lans.ethernet (More info?)

In article <dc998cfd.0411291917.9ea8653@posting.google.com>,
wld <aaabbb16@hotmail.com> wrote:

:here is my configuration: two switchs

What kind of switches? What software version?

:connect each other using vlan
:trunking (802.1q) I config. a port (analyzor port I say port2) to see
:a vlan trunking port (i say port50)traffic.

How do you configure it? Some switches offer multiple mirroring
configurations. On some of them, to see the tags, you have
to configure the mirroring port as a tagged port (with the
appropriate vlans) before you turn on mirroring.

:also config three vlan for
:both switch
:( vlan1,vlan2 and vlan3) and do a ping from/to pc1 which connect
:switch1 (vlan2) to/from pc2 which connect switch2 (vlan2).

What is the Primary Vlan ID (PVID) or 'native vlan' of the trunk
ports?


:I use pc3
:which installed
:etherpeek and sniffer. I can see port50 in/out traffic. I can not see
:tag infomation.

Can you see all the trunk port traffic, or can you see only
part of it?
--
I was very young in those days, but I was also rather dim.
-- Christopher Priest
Anonymous
November 30, 2004 7:28:14 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

roberson@ibd.nrc-cnrc.gc.ca (Walter Roberson) wrote in message news:<coh3si$i83$1@canopus.cc.umanitoba.ca>...
> In article <dc998cfd.0411291917.9ea8653@posting.google.com>,
> wld <aaabbb16@hotmail.com> wrote:
>
> :here is my configuration: two switchs
>
> What kind of switches? What software version?
>
> :connect each other using vlan
> :trunking (802.1q) I config. a port (analyzor port I say port2) to see
> :a vlan trunking port (i say port50)traffic.
>
> How do you configure it? Some switches offer multiple mirroring
> configurations. On some of them, to see the tags, you have
> to configure the mirroring port as a tagged port (with the
> appropriate vlans) before you turn on mirroring.
>
> :also config three vlan for
> :both switch
> :( vlan1,vlan2 and vlan3) and do a ping from/to pc1 which connect
> :switch1 (vlan2) to/from pc2 which connect switch2 (vlan2).
>
> What is the Primary Vlan ID (PVID) or 'native vlan' of the trunk
> ports?
>
>
> :I use pc3
> :which installed
> :etherpeek and sniffer. I can see port50 in/out traffic. I can not see
> :tag infomation.
>
> Can you see all the trunk port traffic, or can you see only
> part of it?


Let me double check it and get back to you ASAP. Thanks, LL
!