2026-06-03

VLAN Tag Missing in PCAP Analysis: 802.1Q Tags, Native VLAN, Trunk Ports, Driver Stripping, and Wrong Capture Point

How to analyze missing VLAN tags in packet captures, 802.1Q tagging, native VLAN behavior, trunk port mistakes, driver tag stripping, capture filters, and VLAN mismatch failures.

vlan tag missing, 802.1q, native vlan, trunk port, capture filter, driver stripping, pcap analysis

VLAN problems often look like DHCP failure, missing replies, one-way traffic, or firewall drops. Users search for "VLAN tag missing pcap", "802.1Q Wireshark capture", "native VLAN untagged", "trunk port packet capture", "driver strips VLAN tag", and "capture filter vlan not working" when the pcap does not match switch configuration.

PCAP Surgery is useful because VLAN evidence depends heavily on capture point, driver behavior, filters, and whether the packet was captured before or after tag stripping.

What an 802.1Q tag proves

An 802.1Q tag carries VLAN identity in the Ethernet frame. If the tag is visible, the capture can show the VLAN ID, priority bits, and encapsulated ethertype.

If the tag is missing, several possibilities exist:

  • Packet is truly untagged.
  • Native VLAN removed the tag.
  • Capture point is after tag stripping.
  • Network driver stripped the tag before pcap saw it.
  • Capture filter excluded tagged frames.
  • Mirror/SPAN configuration changed the frame.
  • Virtual switch presented de-VLANized traffic.

Do not assume "no tag in pcap" means "no tag on the wire."

Native VLAN behavior

On many trunks, native VLAN traffic is sent untagged. That can surprise engineers who expect every trunk packet to show an 802.1Q header.

Symptoms:

  • VLAN 10 appears tagged, VLAN 1 appears untagged.
  • DHCP arrives untagged on native VLAN.
  • One side expects tagged native VLAN.
  • Switches disagree on native VLAN.
  • Untagged frames are classified into the wrong VLAN.

The pcap should be interpreted with switch port mode and native VLAN configuration.

Driver tag stripping

Operating systems and NIC drivers may strip VLAN tags before packets reach the capture tool. Capturing on a VLAN subinterface may show de-tagged packets because the OS has already classified them.

Better evidence may require:

  • Capturing on the physical interface.
  • Disabling VLAN offload if possible.
  • Capturing on a switch mirror port.
  • Capturing on both trunk endpoints.
  • Checking NIC driver offload settings.

PCAP Surgery can preserve and label captures from different points.

Capture filters and VLAN

Capture filters can behave differently for tagged frames. A filter that matches untagged IP traffic may miss tagged traffic unless the filter accounts for VLAN headers.

Symptoms:

  • Ping works but capture shows nothing.
  • Only untagged traffic appears.
  • DHCP is missing from one VLAN.
  • Same flow appears after filter is removed.

Before diagnosing the network, validate the capture filter.

Trunk allowed VLAN mistakes

If a VLAN is missing from allowed trunk lists, traffic may never cross the link. A capture on one side may show frames leaving, while the other side sees nothing.

Evidence:

  • Tagged frames leave source switch.
  • No matching frames arrive on destination side.
  • Other VLANs work.
  • STP state differs per VLAN.
  • Native VLAN mismatch logs appear.

This is a network configuration problem, not a host stack problem.

Virtualization and cloud mirrors

VMs, containers, and cloud packet mirrors complicate VLAN visibility.

Possible issues:

  • Hypervisor strips tag before guest capture.
  • Port group expects a specific VLAN ID.
  • Trunk mode not enabled for VM NIC.
  • Cloud mirror omits original L2 tag.
  • Container bridge sees only de-tagged traffic.

Always document capture point and virtualization layer.

Debug checklist

Use this workflow:

  1. Identify expected VLAN ID.
  2. Identify capture point.
  3. Confirm physical vs VLAN subinterface capture.
  4. Check whether native VLAN should be untagged.
  5. Remove or adjust capture filters.
  6. Check NIC VLAN offload behavior.
  7. Capture on trunk ingress and egress.
  8. Compare switch allowed VLAN configuration.
  9. Preserve tagged and untagged examples.
  10. Label each pcap with interface and port mode.

Final diagnosis

Missing VLAN tags in a pcap do not automatically mean missing VLAN tags on the wire. The cause may be native VLAN behavior, driver stripping, capture filters, virtual switching, or a truly misconfigured trunk.

PCAP Surgery helps preserve the exact tagged frames, untagged frames, capture points, and flow evidence needed to prove the VLAN failure path.