Decoder: (Optional) Preserve VLAN Tags When Using the Packet MMAP Capture Interface

Document created by RSA Information Design and Development on Sep 15, 2017Last modified by RSA Information Design and Development on Oct 11, 2017
Version 5Show Document
  • View in full screen mode
 

When capturing traffic containing VLAN tags, you may need to configure the Packet MMAP capture interface to preserve the VLAN tags in the packets (VLAN fixup). By default, the network capture hardware removes the tags. Performing this procedure preserves the tags in the packets, and the tag values are parsed into VLAN meta data for further analysis.

There are two mechanisms for enabling the VLAN fixup.

  • Option 1: Set vlan-fix=true within capture.device.params. This option performs the VLAN fixup on all traffic entering the Decoder. This option is appropriate in most cases, since it is assumed that all the traffic will be VLAN tagged.This mechanism works on either single-interface mode, or on all-interfaces mode. This option overrides the VLAN fixup settings on individual interfaces; even interfaces that are not configured to do VLAN fixup will have the feature enabled.
  • Option 2: Use the interfaces parameter within capture.device.params on a per-device basis. The interfaces parameter accepts a comma-separated list of interface names on which to capture packets. By adding :vlan to an interface name, you can enable the VLAN fixup on individual interfaces. If the interface does not have the :vlan suffix added, then it will not perform the VLAN fixup.

After editing this parameter, you must restart capture on the Decoder in order for changes to capture.device.params to take effect.

 

These are vlan examples of both options. If you need to pass multiple settings for capture.device.params, use the following synax. Notice that quotes are needed for values with whitespace, see Core Database Tuning Guide.
name1="value1" name2="value2".

                            
ParameterValueEffect
capture.device.params vlan-fix=true VLAN fixup always performed on all interfaces. The default value is vlan-fix=false.
capture.device.params interfaces=eth0:vlan,eth1 VLAN fixup performed on traffic capture on eth0 interface only
capture.device.params interfaces=eth0:vlan,eth1 vlan-fix=true VLAN fixup always performed because the vlan-fix setting overrides the interfaces setting.
 

To configure the packet_mmap_ adapter to preserve the VLAN tags in packets:

  1. In the Administration Services view, select the Decoder service and The actions menu > View > Config.
  2. In the Services Config view, set Capture Interface Selected to packet_mmap_,ALL adapter.
    This is an example of a Config Value drop-down menu.
  3. To go to the Services Explore view, click Config in the toolbar and select Explore in the drop-down list.
  4. In the Services Explore view select decoder > config.
    This is an example of the Explore view with decoder > config selected.
  5. Click in the values column next to capture.device.params, and do one of the following:
    • To preserve VLAN tags on an interface in the interfaces list, add :vlan after the interface name and press Enter. For example, this specifies that VLAN tags are preserved on em1, but not on em2 and em4:
      interfaces=em1:vlan,em2,em4
      This is an example of the Explore view after changes.
      The change goes into effect immediately; only traffic on em1 has the VLAN tags preserved.
    • To preserve VLAN tags on all interfaces, enter the following and press Enter:
      vlan-fix=true.
      This is an example of the Explore view after changes.
      The change goes into effect immediately; VLAN tags are preserved on all capture interfaces.
You are here
Table of Contents > Configure Common Settings on a Decoder > Configure Capture Settings > (Optional) Preserve VLAN Tags When Using the Packet MMAP Capture Interface

Attachments

    Outcomes