> Richard Binns wrote:
>
> Hi chaps
>
> SPAN sessions on a Cisco switch only relay the content of a
> VLAN, therefore
> removing the trunking encapsulation. If you want to see the
> trunk frames,
> i.e. 802.1q encapsulation you need to set up another port on
> the switch as a
> trunk and then capture from that port.
AFAIK, in a Cisco switch you can use either:
monitor session <session number> destination interface <interface id>
in which case it will send the content without the tag, or
monitor session <session number> destination interface <interface id> encapsulation dot1q
monitor session <session number> destination interface <interface id> encapsulation isl
and then it will send the tags.
Of course, details might vary with your specific platform. So you should get sure that your SPAN session does send tags. As Richard suggests, trying to monitor directly in your traffic port -or configuring an additional traffic port- should give you information on which is the case. However, that option will not do for monitoring traffic, since the switch will only send broadcasts and unicast floodings to that port; once it knows one MAC address can get reached through one port it will not send traffic addressed to that address to any other.
If that is OK, you might need to have a look at your NIC. For instance, you can see in:
http://support.intel.com/support/network/sb/cs-005897-prd38.htm
that Intel NICs by default remove the VLAN tag, unless you configure them explicitly to pass it upwards.
