Menu Close

Q-in-Q (VLAN Stacking) packet capture

admin 0 Comments

The capture is showing the q-in-q tagging where VLAN ID 600 is the customer VLAN and VLAN ID 101 is the metro tag (Service provider tag). Tha capture consist of ICMP pings among two customer IP hosts (vlan 600) with IP addresses, 192.168.1.1 and 192.168.1.2, carried over ISP MAN network (service ID 101).

Number of packets: 11

We should apply the Wireshark filter

vlan.id == SERVICE_PROVIDER_ID && vlan.id == CUSTOMR_ID

with appropriate VLAN tags, in the example

vlan.id == 600 && vlan.id == 101

or we may use TCPdump

tcpdump -eqt -r /path_to_pcap_file vlan

08:00:27:3d:25:4e (oui Unknown) > Broadcast, 802.1Q, length 68: vlan 101, p 0, ethertype 802.1Q, vlan 600, p 0, ethertype ARP, Request who-has 192.168.1.2 tell 192.168.1.1, length 46
1c:af:f7:70:ed:7c (oui Unknown) > 08:00:27:3d:25:4e (oui Unknown), 802.1Q, length 68: vlan 101, p 0, ethertype 802.1Q, vlan 600, p 0, ethertype ARP, Reply 192.168.1.2 is-at 1c:af:f7:70:ed:7c (oui Unknown), length 46
08:00:27:3d:25:4e (oui Unknown) > 1c:af:f7:70:ed:7c (oui Unknown), 802.1Q, length 82: vlan 101, p 0, ethertype 802.1Q, vlan 600, p 0, ethertype IPv4, 192.168.1.1 > 192.168.1.2: ICMP echo request, id 512, seq 8192, length 40
1c:af:f7:70:ed:7c (oui Unknown) > Broadcast, 802.1Q, length 68: vlan 101, p 0, ethertype 802.1Q, vlan 600, p 0, ethertype ARP, Request who-has 192.168.1.1 tell 192.168.1.2, length 46
08:00:27:3d:25:4e (oui Unknown) > 1c:af:f7:70:ed:7c (oui Unknown), 802.1Q, length 68: vlan 101, p 0, ethertype 802.1Q, vlan 600, p 0, ethertype ARP, Reply 192.168.1.1 is-at 08:00:27:3d:25:4e (oui Unknown), length 46
08:00:27:3d:25:4e (oui Unknown) > 1c:af:f7:70:ed:7c (oui Unknown), 802.1Q, length 82: vlan 101, p 0, ethertype 802.1Q, vlan 600, p 0, ethertype IPv4, 192.168.1.1 > 192.168.1.2: ICMP echo request, id 512, seq 8448, length 40
1c:af:f7:70:ed:7c (oui Unknown) > 08:00:27:3d:25:4e (oui Unknown), 802.1Q, length 82: vlan 101, p 0, ethertype 802.1Q, vlan 600, p 0, ethertype IPv4, 192.168.1.2 > 192.168.1.1: ICMP echo reply, id 512, seq 8448, length 40
08:00:27:3d:25:4e (oui Unknown) > 1c:af:f7:70:ed:7c (oui Unknown), 802.1Q, length 82: vlan 101, p 0, ethertype 802.1Q, vlan 600, p 0, ethertype IPv4, 192.168.1.1 > 192.168.1.2: ICMP echo request, id 512, seq 8704, length 40
1c:af:f7:70:ed:7c (oui Unknown) > 08:00:27:3d:25:4e (oui Unknown), 802.1Q, length 82: vlan 101, p 0, ethertype 802.1Q, vlan 600, p 0, ethertype IPv4, 192.168.1.2 > 192.168.1.1: ICMP echo reply, id 512, seq 8704, length 40
08:00:27:3d:25:4e (oui Unknown) > 1c:af:f7:70:ed:7c (oui Unknown), 802.1Q, length 82: vlan 101, p 0, ethertype 802.1Q, vlan 600, p 0, ethertype IPv4, 192.168.1.1 > 192.168.1.2: ICMP echo request, id 512, seq 8960, length 40
1c:af:f7:70:ed:7c (oui Unknown) > 08:00:27:3d:25:4e (oui Unknown), 802.1Q, length 82: vlan 101, p 0, ethertype 802.1Q, vlan 600, p 0, ethertype IPv4, 192.168.1.2 > 192.168.1.1: ICMP echo reply, id 512, seq 8960, length 40
Rate this post
Tweet
Pin
Share
0 Shares

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.