Wireshark · Ethereal-users: Re: [Ethereal-users] Re: 802.1p packet marking / detection

[Guy Harris <gharris@xxxxxxxxx>]

Chris T. wrote:
> I read the FAQ and I am not sure I completly understand what they are 
> saying.

What the FAQ is saying could be thought of as

	Ethereal doesn't directly control the network hardware on the machine 
on which it's running.  It uses libpcap/WinPcap to do that, and 
libpcap/WinPcap doesn't directly control it, either; it requests that 
various pieces of networking code in the OS do so.

	The networking code in the OS, on machines connected to a VLAN, might 
contain a networking "interface" that doesn't directly correspond to the 
network adapter, and doesn't supply packets as received by the network 
adapter; instead, it might supply packets that have the VLAN header removed.

	It might also contain a networking interface that directly corresponds 
to the network adapter, and supplies the raw packets as received by the 
adapter; in order to see VLAN tags, and traffic for VLANs other than the 
one to which the machine is connected, you'll have to capture on that 
interface, rather than on the one that supplies packets with the VLAN 
header removed.

What the interfaces are called depends on your OS; I don't have a list 
of what they're called on various OSes.

A further problem is that I think some network adapter hardware can be 
configured to be connected to a particular VLAN, in which case they'll 
strip off VLAN tags, and discard packets not for that VLAN, before 
supplying them to the host, in which case there might not *be* an 
interface that can see the raw packets on the LAN.  In that case, you 
might have to capture on a machine that's not connected to any VLAN - in 
which case it might not be able to communicate on the LAN, in particular 
to resolve network addresses to host names, so you might have to turn 
off network name resolution to prevent Ethereal (or whatever capture 
program you're using) from pausing for long periods of time trying to 
resolve network addresses.