A colleague was attempting to capture packets on a trunk interface from a switch and wasn’t seeing the VLAN tags on the sniffer. Turns out that there are a two things that need to be considered here. The first is that the port mirror also needs to be configured as a trunk. Some port mirroring solutions need the mirror port as well as the mirrored port to be a trunk enabled. For Cisco SPAN, this varies from platform to platform so probably best to enable the SPAN port as a trunk to be sure.
Of course, the bigger problem is Microsoft Windows. They are inconsistent in their implementation of third party drivers. The following is taken from the Wireshark website:
Windows has no built-in support mechanisms for VLANs. There aren’t separate physical and VLAN interfaces you can capture from, unless a specialised driver that adds such support is present.
So whether you see VLAN tags in Wireshark or not will depend on the network adapter you have and on what its and its driver do with VLAN tags.
Most “simple” network adapters (e.g. widely used Realtek RTL 8139) and their drivers will simply pass VLAN tags to the upper layer to handle these. In that case, Wireshark will see VLAN tags and can handle and show them.
Some more sophisticated adapters will handle VLAN tags in the adapter and/or the driver. This includes some Intel adapters and, as far as i know, Broadcom gigabit chipsets (NetXtreme / 57XX based chips). Moreover, it is likely that cards that have specialized drivers will follow this path as well, to prevent interference from the “real” driver.
Therefore, if you are using Windows as the OS for your sniffer, you should have a default position that it you will not be able to capture VLAN tags and then check to see if it is possible to make a change to your network adapter or network driver.
The EtherealMind View
Gotta love the Microsoft Windows network driver implementation, it’s so bad, it’s awesomely bad. After ten years of the current driver design, Microsoft still permits driver software to crap out their OS. Stupid, stupid, stupid.
Cisco has a similar reference HERE.