[技術] Wireshark抓vlan tag資訊整理

Written on 11:05 上午 by Yu Lai

使用Wireshark時居然發生抓不到VLAN的資訊,
上網找了一下果然是有問題的。
以下為找到的ref: http://blog.rogerz.cn/archives/553

某一些網卡驅動默認會在接收封包的時候過濾vlan tag,使得用wireshark抓到的封包中不含vlan tag,此時需要通過修改註冊表讓驅動保留vlan tag。

對於Intel PRO/1000或PRO/100網卡,需要將註冊表HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\00xx下(以DriverDesc來判定xx值為何)的MonitorModeEnabled改為1,如果不存在則新建這麼一個dword鍵。

對於Broadcom Giga網卡,需要在註冊表裡增加一項PreserveVlanInfoInRxPacket=1,類型為string。位置與TxCoalescingTicks相同,後者可以在HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet下搜索到。

修改後需要重啟機器讓它生效。這個修改辦法是在UniCA User Manual中看到的,較新的網卡驅動裡都支持這個設置,原文如下:

Intel PRO/1000 or PRO/100 Ethernet controller which are used in e.g. IBM Notebooks (T40 series and others) do not forward VLAN tags to the upper layers; By default, Intel adapters strip the VLAN tag before passing it up the stack. If you need to see the tag you need to use these driver versions: PRO/100 6.x or 7.x or later base driver, PRO/1000 7.2.17.803 (plain 7.2.17 does not have this feature). To enable, you must go into the registry and either add a registry dword and value (for e100) or change the value of the registry key (for e1000). The registry dword is MonitorModeEnabled (for both). It should be placed at HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class{4D36E972-E325-11CE-BFC1-08002BE10318}\00xx where xx is the instance of the network adapter that you need to see tags on. (Check by opening and viewing the name of the adapter). It should be set to read: MonitorModeEnabled= 1. Note: ControlSet001 may need to be CurrentControlSet or another 00x number

For Broadcom 570x Gigabit adapters (for example in Dell systems); Add a registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet to cause the driver not to strip the 802.1Q VLAN header. In order to set that key, you need to find the right instance of the driver in Registry Editor and set that key for it.

* Run the Registry Editor (regedt32).
* Search for 「TxCoalescingTicks」 under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet" and ensure this is the only instance that you have.
* Right-click on the instance number (eg. 0008) and add a new string value.
* Enter 「PreserveVlanInfoInRxPacket」 and give it the value 「1〞.
* Save and Reboot
* You may need to install a recent driver (version 8.27) to make this setting effective

If you enjoyed this post Subscribe to our feed

No Comment

張貼留言