(Optional) Preserve VLAN Tags When Using the Packet MMAP Capture Interface

When capturing traffic containing VLAN tags, you may need to configure the Packet MMAP capture interface to preserve the VLAN tags in the packets (VLAN fixup). By default, the network capture hardware removes the tags. Performing this procedure preserves the tags in the packets, and the tag values are parsed into VLAN meta data for further analysis.

There are two mechanisms for enabling the VLAN fixup.

  • Option 1: Set vlan-fix=true within capture.device.params. This option performs the VLAN fixup on all traffic entering the Decoder. This option is appropriate in most cases, since it is assumed that all the traffic will be VLAN tagged.This mechanism works on either single-interface mode, or on all-interfaces mode. This option overrides the VLAN fixup settings on individual interfaces; even interfaces that are not configured to do VLAN fixup will have the feature enabled.
  • Option 2: Use the interfaces parameter within capture.device.params on a per-device basis. The interfaces parameter accepts a comma-separated list of interface names on which to capture packets. By adding :vlan to an interface name, you can enable the VLAN fixup on individual interfaces. If the interface does not have the :vlan suffix added, then it will not perform the VLAN fixup.

After editing this parameter, you must restart capture on the Decoder in order for changes to capture.device.params to take effect.

These are vlan examples of both options. If you need to pass multiple settings for capture.device.params, use the following synax. Notice that quotes are needed to delineate whitespace. For more information about how to use quotes for whitespace, see the "Connecting to a Service" topic in the NwConsole User Guide for RSA NetWitness Platform.
name1="value1" name2="value2".

Parameter Value Effect
capture.device.params vlan-fix=true VLAN fixup always performed on all interfaces. The default value is vlan-fix=false.
capture.device.params interfaces=eth0:vlan,eth1 VLAN fixup performed on traffic capture on eth0 interface only
capture.device.params interfaces=eth0:vlan,eth1 vlan-fix=true VLAN fixup always performed because the vlan-fix setting overrides the interfaces setting.

To configure the packet_mmap_ adapter to preserve the VLAN tags in packets:

  1. Go to netwitness_adminicon_25x22.png (Admin) , select the Decoder service and The actions menu> View > Config.
  2. In the Decoder Configuration panel, set Capture Interface Selected to the packet_mmap_,ALL adapter.
    This is an example of a Config Value drop-down menu.
  3. To go to the Explore view, click Config in the toolbar and select Explore in the drop-down list.
  4. In the Services Explore view select decoder > config.
    This is an example of the Explore view with decoder > config selected.
  5. Click in the values column next to capture.device.params, and do one of the following:
    • To preserve VLAN tags on an interface in the interfaces list, add :vlan after the interface name and press Enter.
      For example, this specifies that VLAN tags are preserved on em1, but not on em2 and em4:

      This is an example of the Explore view after changes.
      The change goes into effect after restarting capture; only traffic on em1 has the VLAN tags preserved.
    • To preserve VLAN tags on all interfaces, enter the following and press Enter:

      This is an example of the Explore view after changes.
      VLAN tags are preserved on all capture interfaces.
  6. Select Start Capture (netwitness_startcapturedr.png). The change takes affect after capture is restarted.