Just wondering if it is possible to use 802.1q aware nic (support vlan tagging) on a packet filtering box to monitor traffic off multiple vlan domains as opposed to having SPAN enabled on a switch?
Any pointers will be appreciated.
regards, /vicky
Just wondering if it is possible to use 802.1q aware nic (support vlan tagging) on a packet filtering box to monitor traffic off multiple vlan domains as opposed to having SPAN enabled on a switch?
Any pointers will be appreciated.
regards, /vicky
separate thread to earlier answers....
if you want to try this, use your favorite sniffer - or download the trial of Netassyst (based on Sniffer Pro code)from sniffer.com - it works for 7 or
14 days without the magic key - i use this at work and it does pick up VLANs.FWIW i suspect that using an 802.1q NIC with a sniffer may strip the tags before they get to the sniffer - depends on whether the driver gives you a logical card looking at a vlan or a port. or, even more likely, the driver writer didnt think of this and it will crash and burn....
setting up a SPAN port means you will see copies of something - usually a port or a vlan is feasible, but there may be others depending on the switch and the config. Some of those would send you packets complete with 802.1q tags, some would strip them 1st (again switch dependent).
if you dont have any of these then you will only see what arrives at the port your PC is plugged into
in a typical switched network this is all multicast / broadcast in any VLAN sent to your port, anything sent to your PC if you have a protocol stack set up (which may be per VLAN), and any packets to MAC addresses that have aged out of the switch tables.
In article , stephen wrote: :setting up a SPAN port means you will see copies of something - usually a :port or a vlan is feasible, but there may be others depending on the switch :and the config. Some of those would send you packets complete with 802.1q :tags, some would strip them 1st (again switch dependent).
Seeing your message triggered a memory: in some switches/routers, when you SPAN or RSPAN, the source MAC address of each packet will be the MAC associated with the output interface of the SPAN, rather than the original source MAC. This can be sometimes be a pain in the fundament, but sometimes you are able to deduce the missing information.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.