Today I created a small testlab which you can see below.

I configured the following SPAN session:
monitor session 1 source interface Fa0/23
monitor session 1 destination interface Fa0/24 encapsulation dot1q
I sniffed some ICMP packets originating from FW1 towards FW2, which gave me the following Wireshark output:

Clearly no dot1Q tags present in the captured data.....
After some searches on the web I found out that newer drivers strip off tags like dot1Q by default and therefore are not available to upper layers in the OSI-model.
In my case it concerns an Intel 82567LM Gigabit Adapter which, luckily for me, has the possibility to turn off this 'strip off' feature by setting the following registry key: MonitorModeEnabled, value 1, type DWORD, at the following location:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\00xx

The '0007' part of the registry location may differ from laptop to laptop. You can check by looking at the DriverDesc string in each folder.
After a quick reboot I did the same test as earlier with the output below:

YES! It's working again like it should. The yellow circle shows the CoS value and the blue circle shows the VLAN-id. Time for some QoS testing next week....
 
Looking good! Started you own blog? Keep up the good work!
ReplyDeleteGreetings from your colleague!
Bingo! I can see VLAN packets too. It helps me to understand spanning tree protocols deeper. Thanks for your excellent explanation.
ReplyDeleteJason.
How did you know that it is located at 007?
ReplyDeleteAbsolutely Great! Worked perfectly, just one tip. You do not need to restart your computer just go into Device Manager and toggle the card Disable/Enable.
ReplyDeleteAdd both "MonitorModeEnabled = 1" and "MonitorMode = 1" If you run windows 7.
ReplyDeleteThumbs up
It is great work,...Good information shared..
ReplyDeleteIT Dienstleistung Ulm