Archived from groups: comp.dcom.lans.ethernet (
More info?)
roberson@ibd.nrc-cnrc.gc.ca (Walter Roberson) wrote in message news:<coe1u3$rj3$1@canopus.cc.umanitoba.ca>...
> In article <dc998cfd.0411281613.251057f6@posting.google.com>,
> wld <aaabbb16@hotmail.com> wrote:
> |roberson@ibd.nrc-cnrc.gc.ca (Walter Roberson) wrote in message news:<cod4t6$k2j$1@canopus.cc.umanitoba.ca>...
> |> In article <dc998cfd.0411280538.6ce55f0d@posting.google.com>,
> |> wld <aaabbb16@hotmail.com> wrote:
> |> :Is it possible to see frame with tag using sniffer?
>
> |> Yes.
>
> |you mean that sniffing it form a port which mirrored to vlan trunking?
>
> Different manufacturers have different names for the same
> facility. Some call it 'mirroring', some call it 'spanning',
> some call it SPAN or RSPAN. The result is the same in each case:
> to take a copy of some subset of the normal traffic on a switch
> and deliver the copy to another port.
>
> Whether VLAN tags get stripped or not upon the copy can depend
> upon the device and upon the software release and upon the setup.
> -Generally- speaking, traffic out an untagged port will
> usually show up untagged on the mirroring port, and traffic out
> a tagged port will usually show up tagged on the mirroring
> port, unless the primary vlan ID of the port happens to match the
> VLAN ID of the packet, in which case 802.1Q says the tag should
> be stripped.
>
>
> In any case, in your original question, you did not specify
> any conditions upon how the sniffing had to be done: you just
> asked whether it was *possible* to see frames with the tags intact.
> Your question was underspecified, so we are free to interpret the
> question to include technologies such as ethernet taps. We can also
> interpret the question to allow for reception only of some less
> common frames, such as broadcasts, multicasts, and flooded frames.
> Furthermore there are NICs and systems now that are capable of
> directly receiving tagged frames, so your question covers the
> possibility of sniffing such frames by software running on the
> 802.1Q complaint computer system.
Thanks,
here is my configuration: two switchs connect each other using vlan
trunking (802.1q) I config. a port (analyzor port I say port2) to see
a vlan trunking port (i say port50)traffic. also config three vlan for
both switch
(vlan1,vlan2 and vlan3) and do a ping from/to pc1 which connect
switch1 (vlan2) to/from pc2 which connect switch2 (vlan2). I use pc3
which installed
etherpeek and sniffer. I can see port50 in/out traffic. I can not see
tag infomation. should after SA. (DA-SA-TAG-TYPE/LEN-DATE-FCS)
Is it limitation for etherpeak and sniffer? (can not decode tag?)
or any other reasons?
Thanks,
LL