How to capture VLAN tags

We may need to capture vlan tags during troubleshooting, the configuration method is summarized as follows.

Switch side configuration

Cisco switches can use Switched Port Analyzer (SPAN) to capture packets, and we need to specify the encapsulation replicate parameter when configuring the destination port.

Switch#sh run | sec monitor
monitor session 1 source interface Gi0/6
monitor session 1 destination interface Gi0/4 encapsulation replicate

Windows side configuration

The Windows client does not capture vlan tags by default, we need some extra configuration.

1. Change “Priority & VLAN” to Enabled in Adapter Settings.

2. Find the “Driver key” in the properties of the network adapter.

Look up the following keys in the registry editor, If it does not exist, create a new one.

Directory: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\<driver key>\<number>
Key1: MonitorMode(REG_DWORD 1)
Key2: MonitorModeEnabled( REG_DWORD 1)

It is recommended to restart the PC after modifying the registry.

Verification

Now use Wireshark to start capturing packets after connecting to the Windows PC at the destination port. If everything goes well, we can see the 802.1Q Virtual LAN header information at this time.