Lab MPLS Basic Configuration Last Update 2011.06.01 1.0.0 Copyright 2011 Kenneth M. Chipps Ph.D. 1.
Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.
-
Upload
jerry-wixson -
Category
Documents
-
view
227 -
download
1
Transcript of Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.
![Page 1: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/1.jpg)
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com
Capturing VLAN TagsLast Update 2012.04.10
1.0.0
1
![Page 2: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/2.jpg)
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 2
Objectives
• Learn how to capture VLAN tags for analysis using a network analyzer
![Page 3: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/3.jpg)
The Problem
• I do not believe there is anything harder than figuring out how to capture VLAN tags using a network analyzer such as Wireshark or Omnipeek
• This is mostly due to the lack of clear detailed instructions for specific equipment operating system sets as well as the failure of NIC manufacturers to build this capability into their device drivers
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 3
![Page 4: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/4.jpg)
The Problem
• Further most of the examples only work on certain models of hardware and certain versions of software
• The specifics as to these are often missing• Therefore, here I will provide several
examples of exactly how to do this with defined equipment sets that I have access to
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 4
![Page 5: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/5.jpg)
The Problem
• If you have some other type of hardware or software, well tough luck I cannot help you as I have wasted enough time getting this to work
• Once you get it working, let me know the details
• I will add it here
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 5
![Page 6: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/6.jpg)
The Problem
• There are three main areas of failure that will keep you from capturing the VLAN tags
• First, the driver for your NIC is stripping off the VLAN fields added to the Ethernet II header when the port this computer is attached to is added to a VLAN
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 6
![Page 7: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/7.jpg)
The Problem
• Second, the configuration of the switch is not providing frames with this information to the port that the computer running the network analyzer is attached
• Third, the configuration of everything is correct, but the switch wants a partner to connect to before providing the information to the port that the computer running the network analyzer is attached to
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 7
![Page 8: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/8.jpg)
The Problem
• All of this makes figuring out exactly where the problem is a little tricky
• Let’s deal with these problems one at a time
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 8
![Page 9: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/9.jpg)
NIC Driver Problem
• Wireshark has some guidance on this subject which is both right and wrong
• It is right when it says some NICs do not strip the tags
• It is right when it says some NICs can be adjusted in the Windows registry to no longer strip the tags
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 9
![Page 10: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/10.jpg)
NIC Driver Problem
• It is wrong when it says– If the OS or the network adapter driver won't
allow the VLAN tags to be captured, set up port mirroring (or "port spanning", as Cisco calls it) on the VLAN switch and connect an independent system, such as a laptop, to the mirror port, and don't configure the interface attached to that port as a member of a VLAN
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 10
![Page 11: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/11.jpg)
NIC Driver Problem
– You'll definitely see the VLAN tags, regardless of what OS the independent system is running or what type of network adapter you're using
• This does not work
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 11
![Page 12: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/12.jpg)
NICs That Work
• The NICs I have verified that retain and allow the display of the VLAN tags– No modification required
• Trendnet TE100-PCIWN Version 2.21– This is the Realtek RTL8139/810x chipset– Wireshark says this should work and it does work without
any modification required– The driver is
» Microsoft» 5/30/2008» 6.111.530.2008
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 12
![Page 13: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/13.jpg)
NICs That Work
– Modification required• Intel 82567LM Gigabit NIC
– This is a Intel chipset in a Dell laptop
• Wireshark says this should work with a registry change
• It does work once the registry is changed• The driver is
– Microsoft– 8/18/2008– 10.0.22
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 13
![Page 14: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/14.jpg)
NICs That Do Not Work
• The NICs I have verified do not work no matter what you do to them are– Intel 82579V Gigabit NIC built into an Asus
P8Z68-V Pro– The driver is
• Intel• 3/15/2012• 11.16.96.0
– Intel does not explicitly say whether this one should work after the registry value is added
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 14
![Page 15: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/15.jpg)
NICs That Do Not Work
– Intel PRO/1000 GT PCI NIC– The driver is
• Microsoft• 5/28/2008• 8.4.1.0
– Intel says this NIC should work after the registry value is added
– You are thinking the driver is the problem since it is from Microsoft, but Intel claims they have no Windows 7 64 bit driver for this NIC
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 15
![Page 16: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/16.jpg)
NICs That Do Not Work
• As there are some reports that Intel server NICs will work without modification I tested one of these– Intel PRO/1000 PT Dual Port Server Adapter– The driver is
• Intel• 3/23/2012• 17
– It does not work out of the box
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 16
![Page 17: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/17.jpg)
NICs That Do Not Work
– Intel says this NIC should work after the registry value is added
– In this case MonitorMode as this is a PCI Express card
– On these types of cards there are three possible values 0, 1, and 2
– None of these values work
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 17
![Page 18: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/18.jpg)
NICs That Do Not Work
• Therefore I conclude that just like Wireshark Intel’s information is not to be trusted
• Does no one test this stuff• How hard does this need to be
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 18
![Page 19: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/19.jpg)
NIC Modification Required
• The modification required to the Intel NIC chipsets to pass the required data is described in– http://www.intel.com/support/network/sb/CS-
005897.htm• Regedit is used to do what is described• Keep in mind that this may work, and then
again it may not
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 19
![Page 20: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/20.jpg)
NIC Modification Required
• This document says– Allow tagged frames to be passed to your
packet capture software by going into the registry and either add a registry DWORD and value or change the value of the registry key
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 20
![Page 21: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/21.jpg)
NIC Modification Required
– The bus type of your network adapter you dictate the keyword used, either "MonitorModeEnabled" for PCI/PCI-X Network Adapters, or "MonitorMode" for PCI-e based Network AdaptersThe new key (DWORD) should be placed at:• HKEY_LOCAL_MACHINE\SYSTEM\
ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\00nn
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 21
![Page 22: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/22.jpg)
NIC Modification Required
• This part of the instructions are clear as far as they go
• But then it further says– ControlSet001 may need to be
CurrentControlSet or another 00x number• In most cases there are two of these 001
and 002• See
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 22
![Page 23: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/23.jpg)
NIC Modification Required
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 23
![Page 24: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/24.jpg)
NIC Modification Required
• So which one is it– ControlSet001– or– ControlSet002
• In the one I changed that then worked I made the change to ControlSet001
• In the one I changed that did not work I tried it in 001 only, 002 only, both 001 and 002
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 24
![Page 25: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/25.jpg)
NIC Modification Required
• Intel goes on to say– The registry DWORD for a PCI or PCI-X
Network Adapter is• MonitorModeEnabled
– Set the DWORD value to one of the following options:» 0 - disabled (Do not store bad packets, Do not store
CRCs, Strip 802.1Q VLAN tags) » 1 - enabled (Store bad packets. Store CRCs. Do not
strip 802.1Q VLAN tags)
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 25
![Page 26: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/26.jpg)
NIC Modification Required
– The registry DWORD for a PCI-Express Network Adapter the registry DWORD is• MonitorMode
– Set the DWORD value to one of the following options:» 0 - disabled (Do not store bad packets, Do not store
CRCs, Strip 802.1Q VLAN tags) » 1 - enabled (Receive bad/runt/invalid CRC packets.
Leave CRCs attached to the packets. Strip VLAN tags and ignore packets sent to other VLANs as per normal operation.)
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 26
![Page 27: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/27.jpg)
NIC Modification Required
» 2 - enabled strip VLAN (Receive bad/runt/invalid CRC packets. Leave CRCs attached to the packets. Pass all VLAN packets to the host, even those sent to other VLANs. Leave VLAN tags attached to the packets. This mode is likely to break VLAN)
• Intel just does not bother to say exactly where under this ControlSet this new DWORD goes
• It says it goes right under– {4D36E972-E325-11CE-BFC1-
08002BE10318}\00nnCopyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 27
![Page 28: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/28.jpg)
NIC Modification Required
• Where nn is the NIC• Huh• As you can see there are quite a few lines
with this exact same heading
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 28
![Page 29: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/29.jpg)
NIC Modification Required
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 29
![Page 30: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/30.jpg)
NIC Modification Required
• You first have to look over in the right panel to see which one of these identical heading lines defines the NICs
• As you work your way down the lines you find a little ways down several with the name network in them
• The one you want is named– Network adapters
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 30
![Page 31: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/31.jpg)
NIC Modification Required
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 31
![Page 32: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/32.jpg)
NIC Modification Required
• One might think the DWORD goes here• Oh no, expand the lines under this• This where the elusive 00nn referred to
above lives• Once we do this we see
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 32
![Page 33: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/33.jpg)
NIC Modification Required
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 33
![Page 34: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/34.jpg)
NIC Modification Required
• Now scroll down that list from 0000 until you find the line for the NIC of interest
• Here is mine• In this case the 00nn is 0016• You can tell this by seeing the name of the
NIC in the right panel• In this case
– Intel PRO/1000 GT Desktop Adaptor
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 34
![Page 35: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/35.jpg)
NIC Modification Required
• To add the required DWORD right click in the right panel
• This appears
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 35
![Page 36: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/36.jpg)
NIC Modification Required
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 36
![Page 37: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/37.jpg)
NIC Modification Required
• Select DWORD (32 bit) Value
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 37
![Page 38: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/38.jpg)
NIC Modification Required
• A new line appears at the bottom
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 38
![Page 39: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/39.jpg)
NIC Modification Required
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 39
![Page 40: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/40.jpg)
NIC Modification Required
• Change the name of the line to MonitorModeEnabled or MonitorMode as directed above
• The value by default is 00000000 in hex or 0 in decimal
• Right click on this line and select Modify
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 40
![Page 41: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/41.jpg)
NIC Modification Required
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 41
![Page 42: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/42.jpg)
NIC Modification Required
• Change the value to 1• Intel does not bother to say whether this
change should be Hexadecimal or Decimal or whether it really makes a difference
• I used Decimal
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 42
![Page 43: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/43.jpg)
NIC Modification Required
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 43
![Page 44: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/44.jpg)
NIC Modification Required
• Click OK• Exit out of Regedit
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 44
![Page 45: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/45.jpg)
Switch Configuration
• The only equipment I deal with is Cisco so this discussion of equipment sets and configurations will be limited to Cisco stuff
• As is often the case with Cisco the configuration to use depends on the model and the IOS version
• Some that should work, do not
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 45
![Page 46: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/46.jpg)
Switch Configuration
• In some places you will find statements that a certain model will work, but only later will you find an obscure note that says it really does not, but then on testing you find it really does after all
• This is the case with the very common 2950 line of switches
• Let’s see what does work and does not work based on actual testing
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 46
![Page 47: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/47.jpg)
Using 2960 Switches
• This setup is based on a discussion of this problem by an unidentified person here– http://dot1x.blogspot.com/2010/03/sniffing-
dot1q-tags-with-wireshark.html• The first set I got to work was two Cisco
2960 switches with these characteristics– WS-C2960-24TT-L
12.2(44)SE6C2960-LANBASE9-M
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 47
![Page 48: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/48.jpg)
Using 2960 Switches
• The physical setup is next with the switches shown vertically just to make the lines easier to see
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 48
![Page 49: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/49.jpg)
Laptop OneConnected to FA0/1
In VLAN 2On SwitchOneWireshark
Laptop TwoConnected to FA0/1
In VLAN 2On SwitchTwo
Laptop ThreeConnected to FA0/24
On SwitchOneWireshark
SwitchCisco 2960
NamedSwitchOneWireshark
SwitchCisco 2960
NamedSwitchTwo
On Each SwitchFA0/23
is Connected toFA0/23
![Page 50: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/50.jpg)
Using 2960 Switches
• Here is the configuration for the switches
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 50
![Page 51: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/51.jpg)
Switch One Wireshark
• !Switch One Wireshark Connected• enable• config t• hostname SwitchOneWireshark• vlan 2• int fa0/1• switchport mode access• switchport access vlan 2
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 51
![Page 52: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/52.jpg)
Switch One Wireshark
• interface fa0/23• switchport mode trunk• switchport trunk allowed vlan all• monitor session 1 source interface fa0/23• monitor session 1 destination interface
fa0/24 encap replicate• end
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 52
![Page 53: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/53.jpg)
Switch Two
• !Switch Two• enable• config t• hostname SwitchTwo• vlan 20• int fa0/1• switchport mode access• switchport access vlan 2
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 53
![Page 54: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/54.jpg)
Switch Two
• interface fa0/23• switchport mode trunk• switchport trunk allowed vlan all• end
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 54
![Page 55: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/55.jpg)
Laptop One
• Laptop One is connected to the switch named SwitchOneWireshark at port Fa0/1
• IP Address 10.0.0.1• Subnet Mask 255.255.255.0
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 55
![Page 56: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/56.jpg)
Laptop Two
• Laptop Two is connected to the switch named SwitchTwo at port Fa0/1
• IP address 10.0.0.2• Subnet mask 255.255.255.0
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 56
![Page 57: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/57.jpg)
Laptop Three
• Laptop Three is connected to the switch named SwitchOneWireshark at port Fa0/24
• IP Address 10.0.0.3• Subnet Mask 255.255.255.0• This computer is running Wireshark 1.6.5
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 57
![Page 58: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/58.jpg)
Use of IP Addresses
• The IP addresses were assigned to the computers in order to check connectivity before the VLANs were created and then the lack of connectivity once the VLANs were created
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 58
![Page 59: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/59.jpg)
Use of IP Addresses
• In addition a continuous ping was run from Laptop One to Laptop Two to provide some traffic over the trunk link from port Fa0/23 on switch SwitchOneWireshark to Fa0/23 on switch SwitchTwo
• Laptop Three was attached to port Fa0/24 on switch SwitchOneWireshark
• This is the span or monitor port
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 59
![Page 60: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/60.jpg)
The Result
• The result was
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 60
![Page 61: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/61.jpg)
The Result
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 61
![Page 62: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/62.jpg)
The Result
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 62
![Page 63: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/63.jpg)
The Result
• Now we have VLAN tagged frames caught in the wild to use to illustrate such things
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 63
![Page 64: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/64.jpg)
Using One 2960 Switch
• The monitor port in SwitchOneWireshark does not receive many frames at all when the trunk cable is disconnected from the second switch named SwitchTwo
• There is definitely no sign of ICMP traffic• Of course the computer at 10.0.0.2 could
not answer as it is attached to the now isolated switch since the cable between the two switches is disconnected
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 64
![Page 65: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/65.jpg)
Using One 2960 Switch
• What if the computer at 10.0.0.2 is moved to the switch named SwitchOneWireshark to a port in the same VLAN as the computer at 10.0.0.1 with the other switch disconnected
• This does not work• Very little traffic is seen at the monitoring
port
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 65
![Page 66: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/66.jpg)
Using One 2960 Switch
• What if we get rid of the trunking and switch the monitoring source to the port in VLAN 2 that is the target of the pings
• Using this configuration– monitor session 1 source interface fa0/2– monitor session 1 destination interface fa0/24
encapsulation replicate• The pings work, but no VLAN data is seen
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 66
![Page 67: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/67.jpg)
Using One 2960 Switch
• What if we eliminate the monitoring session as well
• Then place the computer with Wireshark installed into the same VLAN as the other two computers
• The pings work, but no VLAN data is seen
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 67
![Page 68: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/68.jpg)
Using Two 2950 Switches
• The procedure detailed above for the 2960 switches will work using 2950 switches instead with the following changes– The cable connecting the two switches to
each other, the trunk cable from Fa0/23 to Fa0/23, must be a crossover cable as the 2950 is unable to change a port to handle a straight through cable
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 68
![Page 69: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/69.jpg)
Using Two 2950 Switches
– The configuration line that reads• monitor session 1 destination interface fa0/24
encapsulation replicate
– Must be changed to say• monitor session 1 destination interface fa0/24
encapsulation dot1q
• Everything else stays as described in the 2960 section of this presentation
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 69
![Page 70: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/70.jpg)
Router on a Stick
• Instead of two switches VLAN captures can be done with one switch and a router with the router acting as a Router On A Stick as seen in this example
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 70
![Page 71: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/71.jpg)
Laptop OneConnected to FA0/1
In VLAN 2On SwitchWireshark
Laptop TwoConnected to FA0/2
In VLAN 3On SwitchWireshark Laptop Three
Connected to FA0/24
SwitchCisco 2960
NamedSwitchWireshark
RouterCisco 2600
NamedRouterOnStick
On The SwitchFA0/23
is Connected toFA0/0
On The Router
![Page 72: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/72.jpg)
The Configurations
• Here is the configurations for each device• Notice that a default gateway is added to
Laptop One and Laptop Two
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 72
![Page 73: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/73.jpg)
Switch
• !Switch Wireshark Connected• enable• config t• hostname SwitchWireshark• vlan 2• vlan 3
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 73
![Page 74: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/74.jpg)
Switch
• int fa0/1• switchport mode access• switchport access vlan 2• int fa0/2• switchport mode access• switchport access vlan 3
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 74
![Page 75: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/75.jpg)
Switch
• interface fa0/23• switchport mode trunk• switchport trunk allowed vlan all• monitor session 1 source interface fa0/23• monitor session 1 destination interface
fa0/24 encapsulation replicate• end
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 75
![Page 76: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/76.jpg)
Router
• !Router On A Stick• enable• config t• hostname RouterOnStick• int fa0/0.2• encapsulation dot1q 2• ip address 192.168.1.1 255.255.255.0
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 76
![Page 77: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/77.jpg)
Router
• int fa0/0.3• encapsulation dot1q 3• ip address 192.168.2.1 255.255.255.0• int fa0/0• no shutdown• exit• ip route 0.0.0.0 0.0.0.0 fa0/0• end
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 77
![Page 78: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/78.jpg)
Laptop One
• Laptop One is connected to the switch named SwitchWireshark at port Fa0/1
• IP Address 192.168.1.2• Subnet Mask 255.255.255.0• Default Gateway 192.168.1.1
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 78
![Page 79: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/79.jpg)
Laptop Two
• Laptop Two is connected to the switch named SwitchWireshark at port Fa0/2
• IP address 192.168.2.2• Subnet mask 255.255.255.0• Default Gateway 192.168.2.1
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 79
![Page 80: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/80.jpg)
Laptop Three
• Laptop Three is connected to the switch named SwitchWireshark at port Fa0/24
• This computer is running Wireshark 1.6.5
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 80
![Page 81: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/81.jpg)
Configuration Oddities
• There are some confusing configurations that one will run across while researching this topic
• One is the configuration line that says in part– encapsulation 8021q
• This relates back to older equipment that supported the Cisco propriety protocol ISL
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 81
![Page 82: Copyright 2012 Kenneth M. Chipps Ph.D. Capturing VLAN Tags Last Update 2012.04.10 1.0.0 1.](https://reader031.fdocuments.us/reader031/viewer/2022013111/5517637f5503460e6e8b4b0a/html5/thumbnails/82.jpg)
Configuration Oddities
• The newer IOSs do not have that command as there are no options anymore
• Everyone already uses 8021q
Copyright 2012 Kenneth M. Chipps Ph.D. www.chipps.com 82