Quick note on seeing 802.1Q tags in wireshark.
Intel and Broadcom NICs need to have registry modifications in order to see the tags...the switch is passing them thru the mirror port.
Here are a few links and info on the issue:
http://wiki.wireshark.org/CaptureSetup/VLANhttp://www.intel.com/support/network/sb/CS-005897.htm-------------
If the ethernet NIC is using a broadcom chipset...if so, then review/execute the following:
BASP isn't supported on laptops (and other non-server machines?), but, at least for the BCM5751M NetXtreme Gigabit chips in IBM T43 & HP laptops, there is a registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet that can be set to cause the driver and chip not to strip the 802.1Q headers.
In order to set that key, you need to find the right instance of the driver in Registry Editor and set that key for it. You can do this by doing following:
1. Run the Registry Editor.
2. Search for "TxCoalescingTicks" and ensure this is the only instance that you have.
3. Right-click on the instance number (eg. 0008) and add a new string value.
4. Enter "PreserveVlanInfoInRxPacket" and give it the value "1".
This should set you up to be able to sniff the VLAN tag information.
***Note: This did not start working for me until I rebooted my laptop.
------------
-------
also a bit of info for vmware based systems:
On the vmware ESX server there is an option to set promiscuous mode on the physical nics...otherwise it won't pass the data.
The E1000 driver is an option for ESX server for certain OS's [IE windows server]
You should run the E1000 driver instead of the "VMware Accelerated AMD PCNet Adapter". The E1000 driver is not supported by all OS's so it's not offered to all VM's.
-----
I cannot say this is your exact problem, but this has generally been my problem when I couldn't see 802.1Q tags in Wireshark.
hth...Jeff
