vlan header trace/sniff
I am trying to find a way to determine whether or not I have any packets with VLAN headers flowing on my network by using something like WireShark. My understanding is that the default behavior for most Linux network drivers is to strip the VLAN headers below the level where the packet tracing hooks are.
So, is there any chance that the network drivers for BackTrack (especially tg3) have been configured to surface the VLAN headers intact for capture by tcpdump/WireShark, or whether there is a documented procedure for turning this capability on?
You should be able to locate these packets using Wireshark and specifying vlan in the capture filter. If you for example want to capture 802.1q frames with the source ip 192.168.1.1 you would use as the filter: vlan and host 192.168.1.1. More information can be found at the following location: