Haifeng's Blog

How to capture VLAN tags

by · Published · Updated

We may need to capture vlan tags during troubleshooting, the configuration method is summarized as follows.

Switch side configuration

Cisco switches can use Switched Port Analyzer (SPAN) to capture packets, and we need to specify the encapsulation replicate parameter when configuring the destination port.

Switch#sh run | sec monitor
monitor session 1 source interface Gi0/6
monitor session 1 destination interface Gi0/4 encapsulation replicate

Windows side configuration

The Windows client does not capture vlan tags by default, we need some extra configuration.

  1. Change “Priority & VLAN” to Enabled in Adapter Settings.

2. Find the “Driver key” in the properties of the network adapter.

Look up the following keys in the registry editor, If it does not exist, create a new one.

Directory: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\<driver key>\<number>
Key1: MonitorMode(REG_DWORD 1)
Key2: MonitorModeEnabled( REG_DWORD 1)

It is recommended to restart the PC after modifying the registry.

Verification

Now use Wireshark to start capturing packets after connecting to the Windows PC at the destination port. If everything goes well, we can see the 802.1Q Virtual LAN header information at this time.

Tags:

2 Responses

  1. James Chia says:
    June 28, 2024 at am9:51

    I tried two PCs but could not work. Why?

    Reply
    • James Chia says:
      June 28, 2024 at pm3:48

      My apolopy. The w/s can see vlan id now. Earlier pkt captured did not have vlan ID.

      THanks for the guidance.

      Cheers!

      Reply

Leave a Reply

Your email address will not be published.