Don’t Lose The Tags

By Jeff Trawick, WildPackets Professional Services & David James

WildPackets’ Technical Support Team regularly receives questions about capturing VLAN (Virtual LAN) tags in packets. Some customers report that they cannot see VLAN tags when capturing packets from their switches. The tags are usually missing because the capture configuration or the location of OmniPeek (or OmniEngine) is incorrect. So, this tip is aimed at understanding VLAN tags and how they can be captured using the OmniPeek Product Family.

The OmniPeek Product Family can decode the most popular form of VLAN tagging, which is defined in the IEEE 802.1q specification, as well as Cisco’s proprietary ISL tags. 802.1q tags are applied as an added 4-byte header just after the packet’s Ethernet header, as shown in this decode. The field we need to see is the VLAN ID, which tells us to which VLAN this packet belongs. This is a 12-bit field, which means we can have 4,096 different VLANs. Two VLANs (000 and FFF) are reserved, so we really get 4,094 VLANs.

In the example at right, the packet is obviously for VLAN 63.

VLAN tags are designed for switch consumption only, so tags are not usually passed to end nodes. In most cases, VLAN tags are only present on links between switches. Knowing this, we can begin to properly deploy the OmniPeek Product Family for VLAN analysis.

First, we need to understand that the OmniPeek Product Family can only capture and decode packet content that it can see. Whenever you connect the OmniPeek Product Family to your network, you need to ensure that the connection method preserves VLAN tags. For example, you may commonly use port mirroring (AKA spanning, monitoring, etc.) on your switch to feed packets to the OmniPeek Product Family. When looking for VLAN tags, you might mirror an switch-to-switch link to the port where the OmniPeek Product Family is attached. However, some switches will strip out VLAN tags before sending packets to the mirror port. Other switches may be able to send VLAN tags to the mirror port, but the mirror may need to be specifically configured to preserve the tags.

But what if your switch won’t forward VLAN tags to your capture port? No problem – it’s taps to the rescue. In fact, the most certain way to capture tags is to place a network tap between two switches and connect OmniPeek Product Family to the tap.

Another important consideration is the configuration of the network card that the OmniPeek Product Family uses to capture VLAN traffic. Some NICs will discard tags, so the OmniPeek Product Family will never see the VLAN data. Not to worry – many network adapters can also be configured to preserve VLAN tags. Some NICs have settings in their Properties options in Windows. Yet some NICs require you to edit the registry to safeguard the tags. For my Broadcom NIC in my notebook, the following steps work:

  1. Search for “TxCoalescingTicks” under HKLMSystemCurrentControlSet. If you find more than one entry like this you’ll have to determine which instance belongs to the NIC you want to use for capturing the VLAN packets.
  2. Right-click on that NIC driver’s instance number (e.g. 0008) and add a new string value.
  3. Enter “PreserveVlanInfoInRxPacket” and give it a value of 1.

Note: The exact registry location and necessary entries may vary for your NIC, so consult your card’s vendor for details.

After ensuring that the OmniPeek Product Family is in the right place, that the switch mirror port is passing along VLAN tags (or you are using a tap), and that your capture adapter will not discard tags, you’re ready to go! A little preparation prevents a lot of pain when dealing with VLAN traffic, and ensures that you won’t lose the tags!