# How to force stripping off 802.1q VLAN tags on a sniffer NIC



## elof (Mar 19, 2010)

Hi!

I would like to be able to strip off any and all VLAN tags for packets received on my sniffer NIC.
I simply want the 802.1q header (4 bytes) removed. Untagged packets should be passed through without modification.

I *know* this will mix packets from different VLANs, which is normally forbidden, but in this case I'm only going to sniff them, not bridge, route or process them in any other way. In fact, I always use the option 'monitor' on my sniffer NICs.

Q1.
Is there a way to do this stripping in hardware (for maximum performance)? I see that ifconfig with option '-vlanhwtag' at least can deal with adding/stripping tags, so perhaps there is a way to do what I want in hardware? (I usually run 'bge' or 'em' NICs).

2.
...or is there some kind of kernel module that accomplish the above by creating a virtual NIC, just like the 'vlan' module do, but that strip off *any* VLAN tag?



My current workarounds:
If the traffic to the sniffer NIC consist of 100% tagged packets from multiple VLANs, I can manually create a virtual 'vlan'-NIC for each VLAN-id and then 'bridge' them all together. This result in 100% untagged and mixed packets on bridge0, just as I want. Problem solved but with some performance loss (and every time a new VLAN is added, I manually have to remember to create and add the same to my bridge0.

A bigger problem is if the sniffer NIC receive both tagged and untagged packets. Like when a port aggregator tap mirrors a trunk with both tagged VLANS and an untagged one (quite common setup).
Then I can't include the untagged packets seen directly on the sniffer NIC in my virtual bridge0. (adding the parent NIC to bridge0 would make me see the tagged packets again as well as an untagged copy of the same).



Why do I ask this in the Development forum? Well, if there are no answers or solutions to the above, I wonder how hard it would be to steal the 'vlan' kernel module source code and transform it into a 'no_dot1q' kernel module?


----------



## phoenix (Mar 19, 2010)

Why aren't you just running tcpdump on the NIC?  That puts the NIC into promiscuous mode, and grabs every single ethernet frame it sees.  Output to a file, then replay that through wireshark to get the packet contents and flows.

Just make sure that the switch port is in monitor mode, so that all packets are copied to that port.


----------



## elof (Mar 20, 2010)

Not really an answer to my question...

I am running tcpdump, tshark, ngrep, snort, argus and custom made sniffer software on the NIC. That's why it is so important that the packets are either 100% untagged or 100% tagged.

If a human run 'tcpdump -nli bge1 port 80', he expect to see some traffic. If 100% of the packets are tagged, he won't get a single match. If traffic going in one direction is tagged while the other is untagged, he will only see the untagged responses from the server. To see the requests from the client he must manually change the BPF filter to 'tcpdump -nli bge1 vlan and port 80'.

In a system where all kinds of sniffers are to be configured to sniff on this NIC, you cant simply set a variable like $bpf_filter='ip and not esp', since no vlan tagged packet will match.


Im not speaking of a casual sniff. This requested kernel module of mine is for realtime monitoring of large networks around the clock. That's why I'm interested in hardware support and doing it in kernel space.
If performance and realtime monitoring wasn't an issue, I could probably develop my own libpcap thingy that strip off the unwanted dot1q header.


----------



## elof (Apr 6, 2010)

*Solved*

My co-worker found this patch:
http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/139268

With it I *can* add the parent NIC to the bridge and choose not to forward any tagged packets to the bridge.


----------

