I've been putting together a forthcoming post on QinQ tunneling and as part of that I wanted to capture some 802.1Q tagged frames with SPAN and Wireshark to display. I suppose my first mistake was trying to use Windows to do this... But I was capturing packets with an 802.1Q tag in them, just not the multiple tags I expected of the QinQ frames. I spent too many hours trying to figure out why it wasn't working the way I wanted it to, ripping apart the SPAN documentation, reading blog posts by bloggers I follow, and naturally, the Wireshark documentation itself.
Because I was seeing one tag I figured my Realtek PCIe GBE Family Controller network adapter must be able to handle tags, but why was it only striping off one tag and not both?
Turns out there is a fix here. If you go into the device properties from the Device Manager, click on the advanced tab, there's a 'Priority and VLAN" setting. In there the default was "Priority and VLAN Enabled". To me I took this to me VLAN tags were enabled, so the NIC would understand tags and I would be able to see them. This was incorrect. What you want to do it set it to the disabled setting, and then the NIC will just blindly pass the frame on as is, and not process the tags! With the setting enabled the NIC was processing the first tag, stripping it, and passing along the rest of the frame with my inner QinQ tag in tact! Once I disabled this everything worked great and I was now capturing frames with multiple tags.
Stay tuned for the upcoming QinQ post!