4 Replies Latest reply on Mar 22, 2013 11:04 AM by Yazid Atyaagun

    Driver v9.13.41.0 - Sniffer cannot see 802.1Q Headers

    int21h

      Hi There,

       

      Our NICs are running driver v9.13.41.0 and by default it appears the driver does not strip VLAN ID/802.1Q headers, however our Sniffer (Observer) does not pick up the VLAN ID.

       

      I have followed the instructions set out here and modified the registry, but we still cannot see the VLAN information. I'm wondering if this problem is related to 2008 x64 and the driver v9.13.41.0

       

      Has anyone encountered the same issue or is there a setting I am missing ?

       

      Server Information:

      Observer Version: 14 Build: 0005.0000

      OS: Windows 2008 R2 Standard – 64BIT

      NICs:

      Intel(R) PRO/1000 PF Server Adapter - 9.13.41.0

      Intel(R) PRO/1000 PT Dual Port Server Adapter – Driver Version 9.13.41.0

       

      All registry changes were made to the following location:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}

       

      Reference guides followed:

      http://www.intel.com/support/network/sb/CS-005897.htm

        • 1. Re: Driver v9.13.41.0 - Sniffer cannot see 802.1Q Headers
          mark_h_@intel

          By default the drivers will strip the VLAN tags. Try setting MonitorMode to 2 instead of 1. I was looking at the latest code changes for at least one of the drivers and you might need to use 2 so the VLAN tag will be passed up the stack. However, passing the VLAN information up the stack might break things since the OS is expecting the adapter to strip the tag.

           

          Make sure you are putting MonitorMode in the registry for the port you are sniffing.

          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318\00nn where nn is an enumerated number for each port.

           

          I hope this helps.

           

          Mark H

          • 2. Re: Driver v9.13.41.0 - Sniffer cannot see 802.1Q Headers
            Yazid Atyaagun

            Hi Mark,

             

            Value of 2 does not work for both Intel 82577LM and 82566DM-2 NICs.

            The outer VLAN is still stripped.

             

            The outer VLAN is shown in Wireshark when setting MonitorMode to 1 or to 2, however these NICs still strip the outer VLANs from the received packets.

             

            Does this mean that there is no way to set these Intel NICs to be transparent to VLANs and not strip the outer VLAN?

             

            I cannot replace my laptop's NIC card with another one which does not strip VLANs.

             

            I am stuck with my Intel 82577LM and I will appreciate any help that makes the VLAN stripping feature disabled.

             

            Thanks

            • 3. Re: Driver v9.13.41.0 - Sniffer cannot see 802.1Q Headers
              mark_h_@intel

              The information on configuring this item has been updated. See http://www.intel.com/support/network/sb/CS-005897.htm for details.

               

              82577 uses the e1k driver and needs the MonitorMode registry key.
              82566DM-2 uses the e1e driver and needs the MonitorModeEnabled registry key.

               

              The "2" I mentioned in the earlier post is not a valid setting.

               

              I hope this helps.

               

              Mark H

               

              EDIT by Mark H:  Try rebooting your PC after you make the registry change before testing with the sniffer.

               

              Message was edited by: Mark H @ Intel

              • 4. Re: Driver v9.13.41.0 - Sniffer cannot see 802.1Q Headers
                Yazid Atyaagun

                Thanks a lot Mark.

                 

                Indeed, following the information of the link that you provided helped me solve my issue on both those Intel NIC cards (82577LM and 82566DM-2).

                Setting MonitorMode to 1 for 82577LM and MonitorModeEnabled to 1 for 82566DM-2 made them not stripping the VLANs from the receiving frames.

                 

                My problem is now solved.

                 

                Adding the following information (it is already provided in that Intel web page).

                 

                How to determine which registry key to use: MonitorMode or MonitorModeEnabled?

                If adapter driver's name starts with:

                e1g, e1e, e1y                          --> MonitorModeEnabled

                e1c, e1d, e1k, e1q, e1r, ixe, ixn, ixt --> MonitorMode

                 

                To check the adapter driver details (driver's file name):

                - Launch Control Panel and open the Properties of the Network Adaptor

                - Click on Configure

                - Click the Driver tab to see the driver version

                - Click on the Driver Details to see the list of the Driver files.

                  E.g. C:\WINDOWS\system32\DRIVERS\e1k62x64.sys

                       This means, that this network adapter (82577LM) uses the e1k driver

                       and needs the MonitorMode registry key.