[Solved] How to force stripping off 802.1q VLAN tags on a sniffer NIC

elof · #1 March 19th, 2010, 11:44

Hi!

I would like to be able to strip off any and all VLAN tags for packets received on my sniffer NIC.
I simply want the 802.1q header (4 bytes) removed. Untagged packets should be passed through without modification.

I *know* this will mix packets from different VLANs, which is normally forbidden, but in this case I'm only going to sniff them, not bridge, route or process them in any other way. In fact, I always use the option 'monitor' on my sniffer NICs.

Q1.
Is there a way to do this stripping in hardware (for maximum performance)? I see that ifconfig with option '-vlanhwtag' at least can deal with adding/stripping tags, so perhaps there is a way to do what I want in hardware? (I usually run 'bge' or 'em' NICs).

2.
...or is there some kind of kernel module that accomplish the above by creating a virtual NIC, just like the 'vlan' module do, but that strip off *any* VLAN tag?

My current workarounds:
If the traffic to the sniffer NIC consist of 100% tagged packets from multiple VLANs, I can manually create a virtual 'vlan'-NIC for each VLAN-id and then 'bridge' them all together. This result in 100% untagged and mixed packets on bridge0, just as I want. Problem solved but with some performance loss (and every time a new VLAN is added, I manually have to remember to create and add the same to my bridge0.

A bigger problem is if the sniffer NIC receive both tagged and untagged packets. Like when a port aggregator tap mirrors a trunk with both tagged VLANS and an untagged one (quite common setup).
Then I can't include the untagged packets seen directly on the sniffer NIC in my virtual bridge0. (adding the parent NIC to bridge0 would make me see the tagged packets again as well as an untagged copy of the same).

Why do I ask this in the Development forum? Well, if there are no answers or solutions to the above, I wonder how hard it would be to steal the 'vlan' kernel module source code and transform it into a 'no_dot1q' kernel module?

**phoenix** · #2 March 19th, 2010, 23:42

Why aren't you just running tcpdump on the NIC? That puts the NIC into promiscuous mode, and grabs every single ethernet frame it sees. Output to a file, then replay that through wireshark to get the packet contents and flows.

Just make sure that the switch port is in monitor mode, so that all packets are copied to that port.

elof · #3 March 20th, 2010, 16:27

Not really an answer to my question...

I am running tcpdump, tshark, ngrep, snort, argus and custom made sniffer software on the NIC. That's why it is so important that the packets are either 100% untagged or 100% tagged.

If a human run 'tcpdump -nli bge1 port 80', he expect to see some traffic. If 100% of the packets are tagged, he won't get a single match. If traffic going in one direction is tagged while the other is untagged, he will only see the untagged responses from the server. To see the requests from the client he must manually change the BPF filter to 'tcpdump -nli bge1 vlan and port 80'.

In a system where all kinds of sniffers are to be configured to sniff on this NIC, you cant simply set a variable like $bpf_filter='ip and not esp', since no vlan tagged packet will match.

Im not speaking of a casual sniff. This requested kernel module of mine is for realtime monitoring of large networks around the clock. That's why I'm interested in hardware support and doing it in kernel space.
If performance and realtime monitoring wasn't an issue, I could probably develop my own libpcap thingy that strip off the unwanted dot1q header.

elof · #4 April 6th, 2010, 09:28

My co-worker found this patch:
http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/139268

With it I *can* add the parent NIC to the bridge and choose not to forward any tagged packets to the bridge.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
new to geli (tags: gournal + gmirror + zfs)	silkie	General	7	December 2nd, 2009 17:36
good sniffer for server	mia	Networking	4	June 6th, 2009 14:56
Vlan Problem	neo_leopard	Networking	3	May 15th, 2009 06:38
vlan and staticarp	blackjack	Networking	12	January 27th, 2009 13:10
Questions on cvsup, tags, and such	tgphelps	Installing & Upgrading	5	January 16th, 2009 00:27