Guy Harris wrote:
Alexander
Sirotkin wrote:
I'm having a weird problem trying to sniff
some traffic with VLAN tag.
My Linux box (2.4.20) is configured to support vlans (add vlan tag to
outgoing packets and remove vlan tag from incoming packets). When I
capture packets on the vlan enabled interface (eth0.42, with 42 being
vlan id, for instance) all packets appear normal and without vlan tag.
When I capture packets on the eth0 interface, outgoing packets look OK
(including vlan tag) but icoming packets show some weird values in
ethertype field, yet OS seem
to process them OK.
http://wiki.ethereal.com/CaptureSetup_2fVLAN
discusses capturing packets with VLAN tags on various platforms,
although it currently has a placeholder for Linux - you might want to
update the Linux section to give the correct information on Linux (is
the "ethN", or whatever, vs. "ethN.TAG" scheme used on all current
versions of the kernel that include VLAN support?).
I assume the weird values in the Ethertype field aren't 0x8100; what
are the values? Perhaps this is yet another example of parts of the
Linux networking stack manipulating skbuffs in place without any
copy-on-write happening, so that the skbuff handed to the PF_PACKET
socket no longer contains the packet bytes received from the network.
This has something to do with the kernel/driver configuration on the
local system. Although I don't have enough info to update the page on
the wiki, I'll offer what I know. Question marks indicate guesses on
my part. :)
All experience gained from SuSE Linux 9.1 - kernel 2.6.5 or newer.
Capturing packets locally with Ethereal on a VLAN interface --
eth2.120, for example -- will not reveal any VLAN tags. This is
expected behavior because the tag was stripped as the frame was passed
up thru the kernel/driver (?). You are, in effect, capturing on a
virtual LAN so you will see only the traffic destined for that LAN. No
problems there.
Capturing packets *locally* on a physical interface -- eth2, for
example -- where VLAN interfaces coexist will probably *not* reveal any
VLAN tags. The kernel/driver is stripping them (?) but you *will* see
all traffic for that interface including the VLAN traffic -- you just
won't see the tags.
It's very confusing until you capture packets on an independent system
running Ethereal using a mirrored port on the switch. Bring up an
anonymous interface on a laptop running SuSE 9.1, connect it to the
mirror port where VLAN "trunk" traffic is known to exist, and
capture. Ethereal will correctly display the VLAN tags for each
frame.
|
