Curious VLAN and differentiated services traffic with new TV
-
A couple of months ago, I bought a new Sharp TV. Today, I was watching it's network traffic, with Wireshark. I noticed that some traffic is on VLAN 1, with diffserv. This is happening even on arp replies, but not the corresponding requests. Some of the TCP traffic also has VLAN & diffserv as well. Why would pfSense use VLAN 1? Is this due to IGMP perhaps? Even DHCP is on VLAN 1 & diffserv. Is that what's telling pfSense to use VLAN 1? I've never seen DHCP use VLANs/diff serv before, when not on a network configured for VLAN.
I've attached the packet capture.
-
Did you create VLAN 1 and set that interface to VLAN 1 on eth0? Is the interface name eth0.1?
Where are you capturing?
-
No, I did not create a VLAN. I'm monitoring on the switch port connected to the TV. I have not configured anything on the TV, as it uses DHCP. I'm curious as to why pfSense is using VLAN 1 for an arp reply, when it wasn't used on the request. What is it that causes pfSense to use VLAN 1? Even going back to the DHCP offer in frame 7, pfSense is using VLAN 1, but there's no mention of a VLAN in the discover in frame 6. The same situation happens with the request & ack. When I look at traffic for other devices, I don't see VLANs and don't have any enabled in pfSense.
-
WTF dude this is ipv4 traffic ;) How is this possible?? hehehehe
Your new tv isn't using the standard? I would send it back if doesn't support ipv6...
-
How about in a packet capture from pfSense going to the switch? Maybe the switch is adding that nonsense tag.
-
@Derelict said in Curious VLAN and differentiated services traffic with new TV:
How about in a packet capture from pfSense going to the switch? Maybe the switch is adding that nonsense tag.
I've attached a capture from pfSense Packet Capture. It doesn't show any VLAN tags, however, I also haven't seen any DNS sequence. I'll have to turn the TV off longer to see if I can get one. The previous capture was done with Wireshark & port mirroring on a Cisco switch. I'll also have to try with my "data tap" between pfSense and the Cisco switch. I have never configured VLANs on my Cisco switch.
-
I have just done some testing, watching arp requests & replies. With pfSense Packet Capture and also Wireshark between pfSense and my Cisco switch or between the Cisco switch and TV, I do not see any VLANs. However, monitoring the Cisco port leading to the TV, I see VLAN1 coming from the Cisco switch, but not coming from the TV. It appears the Cisco port mirroring may be causing this, though I have no idea why. It's a Cisco SG 200-08 8 port switch.
-
So your port between pfsense, and one connecting the tv have no settings on them.. they are just access in vlan 1?
-
@johnpoz said in Curious VLAN and differentiated services traffic with new TV:
So your port between pfsense, and one connecting the tv have no settings on them.. they are just access in vlan 1?
There are no VLANs configured anywhere. However, as I mentioned above, this "VLAN" appears to be an artifact created by port mirroring in the Cisco switch. In addition to Packet Capture, I used my TP-Link "data tap" between the Cisco switch and both pfSense and the TV. At no point am I seeing a VLAN, other than when port monitoring through the Cisco switch.
This appears to be one time when TP-Link does something better than Cisco!
-
When you created the span, you didn't happen to pick vlan 1 vs just tx and rx on the port?
What firmware you running on it?
-
Cisco has some settings that manipulate VLAN tags on mirror ports:
The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP). However, when you enter the encapsulation replicate keywords when configuring a destination port, these changes occur Packets are sent on the destination port with the same encapsulation—untagged, Inter-Switch Link (ISL), or IEEE 802.1Q—that they had on the source port. Packets of all types, including BPDU and Layer 2 protocol packets, are monitored
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swspan.html
That doesn't exactly match what you are seeing but it's in the right wheelhouse.
-
Yeah but the smb line isn't running the full blown ios - so prob no way to alter such setting.. have to look to see what can do on the sg300s I have.
But yeah could be something around those lines causing it.
-
@johnpoz said in Curious VLAN and differentiated services traffic with new TV:
When you created the span, you didn't happen to pick vlan 1 vs just tx and rx on the port?
I have not configured VLANs on this switch at all.
What firmware you running on it?
1.0.8.3 That's the latest available for this switch.
-
Here check out this thread - this is what your seeing right?
https://community.cisco.com/t5/small-business-switches/mirror-vlan-tag-not-stripped/td-p/2272832/page/2"I can see this issue on SG200-8, I think it's not a bug, but an enhancement. For TX packets, by default they will be added a dot1q tag. "
If reading right, got around it via doing spans of just the rx on the 2 ports vs tx and rx on 1 port.
-
@Derelict said in Curious VLAN and differentiated services traffic with new TV:
Cisco has some settings that manipulate VLAN tags on mirror ports:
I don't know what tags it would manipulate, as I don't have any VLANs configured on this switch.
BTW, I'm more used to the term mirror, rather than span, as I started doing this sort of thing on Adtran gear, where it was called port mirroring. It's also called mirroring on both my Cisco and TP-Link switches. In fact, until recently, on another thread, I had never heard of span in this application. In my earlier experience, "span" referred to span lines, which carried T1 signals over significant distances, through the use of repeaters.
-
No idea, man. I don't have one of those switches.
-
But there stil is the default vlan 1.. you can not get rid of it.. you can just change the default.. I changed my default vlan to 9 but vlan 1 is still there, even if not used.
-
@johnpoz said in Curious VLAN and differentiated services traffic with new TV:
Here check out this thread - this is what your seeing right?
https://community.cisco.com/t5/small-business-switches/mirror-vlan-tag-not-stripped/td-p/2272832/page/2"I can see this issue on SG200-8, I think it's not a bug, but an enhancement. For TX packets, by default they will be added a dot1q tag. "
If reading right, got around it via doing spans of just the rx on the 2 ports vs tx and rx on 1 port.
Could be. I'll have to check further. I just don't recall seeing that before, though I wasn't looking. Regardless, I wouldn't expect a tag to be added. What would happen if there were already 2 tags (QinQ). I have worked on networks where that was used.
-
Your dest port on the mirror can not be a member of a vlan. All tags should be stripped going to dest mirror port.. Way I read that thread (really quick) is that is "feature" of adding tag to the tx traffic that is sent to the mirror port.. I think the suggestion of just using 2 rx sources would be quick work around for the "feature" ;)
-
Have to ask Cisco.