抓tag报文设置
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
网卡设置不剥离VLAN的方法
产品名称:基础类
相关版本:所有版本
关键字:网卡、vlan
在平时的数据抓包时,有时需要抓不剥离VLAN带TAG标签的数据包,但是大部分的网卡在抓包时就剥离掉了VLAN,从而丢掉了一些有用的数据信息。通过修改注册表可以使网卡抓包时不剥离VLAN,抓到带TAG标签的数据包,设置方法如下:
1、对于Intel PRO/1000或PRO/100网卡
需要将注册表
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE 10318}\00xx下的MonitorModeEnabled改为1,如果不存在则新建这么一个dword键。
2、对于Broadcom千兆网卡
需要在注册表里增加一项PreserveVlanInfoInRxPacket=1,类型为string(字符串)。位置与TxCoalescingTicks相同,后者可以在HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet下搜索到。
修改后需要重启机器让它生效即可抓到带TAG标签的数据包。
注:对于上述1和2的两种网卡类型可以在“我的电脑”-“设备管理器”里面查询的到。
对于Intel PRO/1000或PRO/100网卡,需要将注册表
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE 10318}\00xx下的MonitorModeEnabled改为1,如果不存在则新建这么一个dword键。
对于Broadcom千兆网卡,需要在注册表里增加一项PreserveVlanInfoInRxPacket=1,类型为string。位置与TxCoalescingTicks相同,后者可以在HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet下搜索到。
修改后需要重启机器让它生效。这个修改办法是在UniCA User Manual中看到的,较新的网卡驱动里都支持这个设置,原文如下:
Intel PRO/1000 or PRO/100 Ethernet controller which are used in e.g. IBM Notebooks (T40 series and others) do not forward VLAN tags to the upper layers; By default, Intel adapters strip the VLAN tag before passing it up the stack. If you need to see the tag you need to use these driver versions: PRO/100 6.x or 7.x or later base driver, PRO/1000 7.2.17.803 (plain 7.2.17 does not have this feature). To enable, you must go into the registry and either add a registry dword and value (for e100) or change the value of the registry key (for e1000). The registry dword is MonitorModeEnabled (for both). It should be placed at HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class{4D36E972-E325-11CE-BFC1-08002BE1 0318}\00xx where xx is the instance of the network adapter that you need to see tags on. (Check by opening and viewing the name of the adapter). It should be set to read:
MonitorModeEnabled= 1. Note: ControlSet001 may need to be CurrentControlSet or another 00x number
For Broadcom 570x Gigabit adapters (for example in Dell systems); Add a registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet to cause the driver not to strip the 802.1Q VLAN header. In order to set that key, you need to find the right instance of the driver in Registry Editor and set that key for it.
Run the Registry Editor (regedt32).
Search for “TxCoalescingTicks” under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet" and ensure this is the only instance that you have.
Right-click on the instance number (eg. 0008) and add a new string value.
Enter “PreserveVlanInfoInRxPacket” and give it the value “1″.
Save and Reboot
You may need to install a recent driver (version 8.27) to make this setting effective