Showing results for 
Show  only  | Search instead for 
Did you mean: 

Are we able to decrypt DOT1Q/ TRUNQ traffic with DCRUM?


Do you know if we are able to decrypt TRUNQ or DOT1Q
traffic in DCRUM? At my customer we have several applications monitored,
however they told me they are not able to see all the traffic due to some of it
being on TRUNQ and DOT1Q, so I was wondering if there is a way to decrypt it to
be able to see it.

I was told already that we might be able to see it since we have layer 2 visibility since 12.3



Hello Rodrigo,

If I am not wrong the layer 2 visibility was introduced in version 12.4.x

Starting from thenetwork data link layer discovery (L2), navigate up through nodes and locations discovery (L3), to application discovery (L4-L5), and up to specific services with their critical functions (L7), with visibility into application errors that may affect the service delivery.

Check the release note.



Correct you need 12.4 to get L2 visibility (VLANs, tunnels, etc.).

Requires enabling a global setting on each AMD too.

Thanks, we are running with 12.4.8, and have the layer 2 option activated, however I'm still unsure as to how to decrypt and see this traffic.

Hi @Rodrigo M.

802.1q is not any encryption so there is nothing to decrypt.

It's a way of tagging packets

You simply get some more data in each frame. Then it's up to the software whether to see/understand/decode that or not.

Typically, the tag isn't normally forwarded by SPAN unless specifically instructed to and therefor you don't see them. If you use a network tap (much recommended) you will always see the tags.


But to answer your question @Rodrigo M. You "should" see all traffic anyway. In previous releases, the 802.1q tags was just peeled off and the content was accounted for. If you don't see that particular traffic (without the VLAN info though), you are probably not receiving it.

Dynatrace Pro
Dynatrace Pro

An AMD capture showed no vlan tagging (802.1Q) information was being passed.

Cisco SPANs - by default - do not pass the vlan tags.

For a Cisco 2950 - To enable and disable tagging of the packets at the SPAN destination port. Issue the monitor session session_number destination interface interface_id encapsulation dot1q command in order to enable encapsulation of the packets at the destination port. If you do not specify the encapsulation keyword, the packets are sent untagged, which is the default in Cisco IOS Software Release 12.1(11)EA1 and later.

For a Cisco 3750 - (Optional) Enter encapsulation replicate to
specify that the destination interface replicates the source interface
encapsulation method. If not selected, the default is to send packets in
native form (untagged).