Scott Lowrey wrote:
This has something to do with the kernel/driver configuration on the 
local system.  Although I don't have enough info to update the page on 
the wiki,
You don't have to have complete info, you just have to have more info 
than is there now.  That's the nice thing about the Wiki - others can 
update it later if they have more information.
Capturing packets locally with Ethereal on a VLAN interface -- eth2.120, 
for example -- will not reveal any VLAN tags.  This is expected behavior 
because the tag was stripped as the frame was passed up thru the 
kernel/driver (?).
I *suspect* it's done either by
	1) the firmware on the adapter - I think some network adapters do the 
VLAN processing themselves, and can be give a VLAN tag, so that they'll 
pass up to the host only VLAN frames with that tag, with the VLAN header 
stripped off
or
	2) a VLAN module in the kernel, doing the same filtering and tag 
stripping, through which the packets are passed
although I suppose there could be drivers duplicating the filtering and 
tag stripping (or perhaps there isn't a VLAN module in the Linux kernel, 
so the drivers *have* to do it themselves).
Capturing packets *locally* on a physical interface -- eth2, for example 
-- where VLAN interfaces coexist will probably *not* reveal any VLAN 
tags.  The kernel/driver is stripping them (?) but you *will* see all 
traffic for that interface including the VLAN traffic -- you just won't 
see the tags.
That sucks.  If the adapter's doing the VLAN processing, it might do 
that even with the physical interface, but I'd expect it to do the 
filtering, too.  If it's code in the kernel (driver or a VLAN module), 
it might be, as per my mail, another case of the skbuff for the packet 
being manipulated in place without any copy-on-write.
Has anybody had any success capturing on the physical interface on a 
Linux system attached to a VLAN, where "success" is defined as "seeing 
packets with the VLAN tags attached and, at least if the capture is 
being done in promiscuous mode and you're not attached to a switch 
that's getting in the way, seeing packets for other VLANs or with no 
VLAN tag"?  If so, they might want to mention *that* on the Wiki page.
It's very confusing until you capture packets on an independent system 
running Ethereal using a mirrored port on the switch.  Bring up an 
anonymous interface on a laptop running SuSE 9.1, connect it to the 
mirror port where VLAN "trunk" traffic is known to exist, and 
capture.    Ethereal will correctly display the VLAN tags for each frame.
I.e., the anonymous interface *isn't* configured for a VLAN, so the 
adapter and kernel code wouldn't be doing VLAN filtering and thus 
probably wouldn't be doing VLAN tag stripping?