802.1q frame with tag

you mean that sniffing it form a port which mirrored to vlan trunking?

In article , wld wrote: :Is it possible to see frame with tag using sniffer?

Yes.

|> Yes.

|you mean that sniffing it form a port which mirrored to vlan trunking?

Different manufacturers have different names for the same facility. Some call it 'mirroring', some call it 'spanning', some call it SPAN or RSPAN. The result is the same in each case: to take a copy of some subset of the normal traffic on a switch and deliver the copy to another port.

Whether VLAN tags get stripped or not upon the copy can depend upon the device and upon the software release and upon the setup.

-Generally- speaking, traffic out an untagged port will usually show up untagged on the mirroring port, and traffic out a tagged port will usually show up tagged on the mirroring port, unless the primary vlan ID of the port happens to match the VLAN ID of the packet, in which case 802.1Q says the tag should be stripped.

In any case, in your original question, you did not specify any conditions upon how the sniffing had to be done: you just asked whether it was *possible* to see frames with the tags intact. Your question was underspecified, so we are free to interpret the question to include technologies such as ethernet taps. We can also interpret the question to allow for reception only of some less common frames, such as broadcasts, multicasts, and flooded frames. Furthermore there are NICs and systems now that are capable of directly receiving tagged frames, so your question covers the possibility of sniffing such frames by software running on the

Thanks,

here is my configuration: two switchs connect each other using vlan trunking (802.1q) I config. a port (analyzor port I say port2) to see a vlan trunking port (i say port50)traffic. also config three vlan for both switch (vlan1,vlan2 and vlan3) and do a ping from/to pc1 which connect switch1 (vlan2) to/from pc2 which connect switch2 (vlan2). I use pc3 which installed etherpeek and sniffer. I can see port50 in/out traffic. I can not see tag infomation. should after SA. (DA-SA-TAG-TYPE/LEN-DATE-FCS) Is it limitation for etherpeak and sniffer? (can not decode tag?) or any other reasons?

Thanks,

LL

First thing's first. Are you filtering your capture? And if so, is is vlan 2 the native vlan? If you're using Cisco gear, it will not tag the native vlan unless you tell it to tag it.

:here is my configuration: two switchs

What kind of switches? What software version?

:connect each other using vlan :trunking (802.1q) I config. a port (analyzor port I say port2) to see :a vlan trunking port (i say port50)traffic.

How do you configure it? Some switches offer multiple mirroring configurations. On some of them, to see the tags, you have to configure the mirroring port as a tagged port (with the appropriate vlans) before you turn on mirroring.

:also config three vlan for :both switch :(vlan1,vlan2 and vlan3) and do a ping from/to pc1 which connect :switch1 (vlan2) to/from pc2 which connect switch2 (vlan2).

What is the Primary Vlan ID (PVID) or 'native vlan' of the trunk ports?

:I use pc3 :which installed :etherpeek and sniffer. I can see port50 in/out traffic. I can not see :tag infomation.

Can you see all the trunk port traffic, or can you see only part of it?

Let me double check it and get back to you ASAP. Thanks, LL