diff --git a/scripts/base/packet-protocols/__load__.zeek b/scripts/base/packet-protocols/__load__.zeek
index d4cbeaf893..6432eb5bd0 100644
--- a/scripts/base/packet-protocols/__load__.zeek
+++ b/scripts/base/packet-protocols/__load__.zeek
@@ -14,3 +14,4 @@
 @load base/packet-protocols/mpls
 @load base/packet-protocols/gre
 @load base/packet-protocols/iptunnel
+@load base/packet-protocols/vntag
diff --git a/scripts/base/packet-protocols/ethernet/main.zeek b/scripts/base/packet-protocols/ethernet/main.zeek
index 57b16262fa..75191a2c8a 100644
--- a/scripts/base/packet-protocols/ethernet/main.zeek
+++ b/scripts/base/packet-protocols/ethernet/main.zeek
@@ -20,4 +20,5 @@ event zeek_init() &priority=20
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x88A8, PacketAnalyzer::ANALYZER_VLAN);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x9100, PacketAnalyzer::ANALYZER_VLAN);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8864, PacketAnalyzer::ANALYZER_PPPOE);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 0x8926, PacketAnalyzer::ANALYZER_VNTAG);
 	}
\ No newline at end of file
diff --git a/scripts/base/packet-protocols/vntag/__load__.zeek b/scripts/base/packet-protocols/vntag/__load__.zeek
new file mode 100644
index 0000000000..d551be57d3
--- /dev/null
+++ b/scripts/base/packet-protocols/vntag/__load__.zeek
@@ -0,0 +1 @@
+@load ./main
\ No newline at end of file
diff --git a/scripts/base/packet-protocols/vntag/main.zeek b/scripts/base/packet-protocols/vntag/main.zeek
new file mode 100644
index 0000000000..a34e733d0f
--- /dev/null
+++ b/scripts/base/packet-protocols/vntag/main.zeek
@@ -0,0 +1,8 @@
+module PacketAnalyzer::VNTAG;
+
+event zeek_init() &priority=20
+	{
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 0x8100, PacketAnalyzer::ANALYZER_VLAN);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 0x88A8, PacketAnalyzer::ANALYZER_VLAN);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 0x9100, PacketAnalyzer::ANALYZER_VLAN);
+	}
diff --git a/src/packet_analysis/protocol/CMakeLists.txt b/src/packet_analysis/protocol/CMakeLists.txt
index 4d9d12ba2c..62d1e1549b 100644
--- a/src/packet_analysis/protocol/CMakeLists.txt
+++ b/src/packet_analysis/protocol/CMakeLists.txt
@@ -17,3 +17,4 @@ add_subdirectory(arp)
 add_subdirectory(ip)
 add_subdirectory(gre)
 add_subdirectory(iptunnel)
+add_subdirectory(vntag)
diff --git a/src/packet_analysis/protocol/vntag/CMakeLists.txt b/src/packet_analysis/protocol/vntag/CMakeLists.txt
new file mode 100644
index 0000000000..2fe273c239
--- /dev/null
+++ b/src/packet_analysis/protocol/vntag/CMakeLists.txt
@@ -0,0 +1,8 @@
+
+include(ZeekPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+zeek_plugin_begin(PacketAnalyzer VNTag)
+zeek_plugin_cc(VNTag.cc Plugin.cc)
+zeek_plugin_end()
diff --git a/src/packet_analysis/protocol/vntag/Plugin.cc b/src/packet_analysis/protocol/vntag/Plugin.cc
new file mode 100644
index 0000000000..1d877fb086
--- /dev/null
+++ b/src/packet_analysis/protocol/vntag/Plugin.cc
@@ -0,0 +1,24 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/vntag/VNTag.h"
+
+namespace zeek::plugin::Zeek_VNTag {
+
+class Plugin : public zeek::plugin::Plugin {
+public:
+    zeek::plugin::Configuration Configure()
+        {
+        AddComponent(new zeek::packet_analysis::Component("VNTag",
+                         zeek::packet_analysis::VNTag::VNTagAnalyzer::Instantiate));
+
+        zeek::plugin::Configuration config;
+        config.name = "Zeek::VNTag";
+        config.description = "VNTag packet analyzer";
+        return config;
+        }
+
+} plugin;
+
+}
diff --git a/src/packet_analysis/protocol/vntag/VNTag.cc b/src/packet_analysis/protocol/vntag/VNTag.cc
new file mode 100644
index 0000000000..b70f011b6d
--- /dev/null
+++ b/src/packet_analysis/protocol/vntag/VNTag.cc
@@ -0,0 +1,23 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/vntag/VNTag.h"
+
+using namespace zeek::packet_analysis::VNTag;
+
+VNTagAnalyzer::VNTagAnalyzer()
+	: zeek::packet_analysis::Analyzer("VNTag")
+	{
+	}
+
+bool VNTagAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	if ( 6 >= len )
+		{
+		Weird("truncated_vntag_header", packet);
+		return false;
+		}
+
+	uint32_t protocol = ((data[4] << 8u) + data[5]);
+	// Skip the VNTag header
+	return ForwardPacket(len - 6, data + 6, packet, protocol);
+	}
diff --git a/src/packet_analysis/protocol/vntag/VNTag.h b/src/packet_analysis/protocol/vntag/VNTag.h
new file mode 100644
index 0000000000..840192e290
--- /dev/null
+++ b/src/packet_analysis/protocol/vntag/VNTag.h
@@ -0,0 +1,23 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+
+namespace zeek::packet_analysis::VNTag {
+
+class VNTagAnalyzer : public Analyzer {
+public:
+	VNTagAnalyzer();
+	~VNTagAnalyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<VNTagAnalyzer>();
+		}
+};
+
+}
diff --git a/testing/btest/Baseline/core.vntag/unknown_protocols.log b/testing/btest/Baseline/core.vntag/unknown_protocols.log
new file mode 100644
index 0000000000..c7ddb819f3
--- /dev/null
+++ b/testing/btest/Baseline/core.vntag/unknown_protocols.log
@@ -0,0 +1,13 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	unknown_protocols
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	analyzer	protocol_id	first_bytes
+#types	time	string	string	string
+XXXXXXXXXX.XXXXXX	IP	0xfd	1b794b175fac06aba658
+XXXXXXXXXX.XXXXXX	IP	0xfd	9d6c1f9e20274bb66385
+XXXXXXXXXX.XXXXXX	IP	0xfd	06ffb64ded001f65f818
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index ab27460182..43222b07e4 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -54,6 +54,8 @@ scripts/base/init-bare.zeek
       scripts/base/packet-protocols/gre/main.zeek
     scripts/base/packet-protocols/iptunnel/__load__.zeek
       scripts/base/packet-protocols/iptunnel/main.zeek
+    scripts/base/packet-protocols/vntag/__load__.zeek
+      scripts/base/packet-protocols/vntag/main.zeek
 scripts/base/init-frameworks-and-bifs.zeek
   scripts/base/frameworks/logging/__load__.zeek
     scripts/base/frameworks/logging/main.zeek
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 9d354656f8..e65e4dd62e 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -54,6 +54,8 @@ scripts/base/init-bare.zeek
       scripts/base/packet-protocols/gre/main.zeek
     scripts/base/packet-protocols/iptunnel/__load__.zeek
       scripts/base/packet-protocols/iptunnel/main.zeek
+    scripts/base/packet-protocols/vntag/__load__.zeek
+      scripts/base/packet-protocols/vntag/main.zeek
 scripts/base/init-frameworks-and-bifs.zeek
   scripts/base/frameworks/logging/__load__.zeek
     scripts/base/frameworks/logging/main.zeek
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 881178dbc4..780e01ccde 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -562,6 +562,7 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34887, PacketAnalyzer::ANALYZER_MPLS)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34916, PacketAnalyzer::ANALYZER_PPPOE)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34984, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 35110, PacketAnalyzer::ANALYZER_VNTAG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 37120, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
@@ -601,6 +602,9 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 34525, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 34887, PacketAnalyzer::ANALYZER_MPLS)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 34916, PacketAnalyzer::ANALYZER_PPPOE)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 33024, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::build, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, )) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::install, <frame>, ()) -> <no result>
@@ -976,6 +980,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/utils, <...>/utils.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/version, <...>/version.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/vlan, <...>/vlan) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/vntag, <...>/vntag) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/weird, <...>/weird.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/x509, <...>/x509) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/xmpp, <...>/xmpp) -> -1
@@ -1560,6 +1565,7 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34887, PacketAnalyzer::ANALYZER_MPLS))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34916, PacketAnalyzer::ANALYZER_PPPOE))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34984, PacketAnalyzer::ANALYZER_VLAN))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 35110, PacketAnalyzer::ANALYZER_VNTAG))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 37120, PacketAnalyzer::ANALYZER_VLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2048, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2054, PacketAnalyzer::ANALYZER_ARP))
@@ -1599,6 +1605,9 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 34525, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 34887, PacketAnalyzer::ANALYZER_MPLS))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 34916, PacketAnalyzer::ANALYZER_PPPOE))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 33024, PacketAnalyzer::ANALYZER_VLAN))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN))
 0.000000   MetaHookPre   CallFunction(PacketFilter::build, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, ))
 0.000000   MetaHookPre   CallFunction(PacketFilter::install, <frame>, ())
@@ -1974,6 +1983,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/utils, <...>/utils.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/version, <...>/version.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/vlan, <...>/vlan)
+0.000000   MetaHookPre   LoadFile(0, base<...>/vntag, <...>/vntag)
 0.000000   MetaHookPre   LoadFile(0, base<...>/weird, <...>/weird.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/x509, <...>/x509)
 0.000000   MetaHookPre   LoadFile(0, base<...>/xmpp, <...>/xmpp)
@@ -2557,6 +2567,7 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 34887, PacketAnalyzer::ANALYZER_MPLS)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 34916, PacketAnalyzer::ANALYZER_PPPOE)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 34984, PacketAnalyzer::ANALYZER_VLAN)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 35110, PacketAnalyzer::ANALYZER_VNTAG)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 37120, PacketAnalyzer::ANALYZER_VLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 2048, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 2054, PacketAnalyzer::ANALYZER_ARP)
@@ -2596,6 +2607,9 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 34525, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 34887, PacketAnalyzer::ANALYZER_MPLS)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 34916, PacketAnalyzer::ANALYZER_PPPOE)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 33024, PacketAnalyzer::ANALYZER_VLAN)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN)
 0.000000 | HookCallFunction PacketFilter::build()
 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )
 0.000000 | HookCallFunction PacketFilter::install()
@@ -2983,6 +2997,7 @@
 0.000000 | HookLoadFile  base<...>/utils <...>/utils.zeek
 0.000000 | HookLoadFile  base<...>/version <...>/version.zeek
 0.000000 | HookLoadFile  base<...>/vlan <...>/vlan
+0.000000 | HookLoadFile  base<...>/vntag <...>/vntag
 0.000000 | HookLoadFile  base<...>/weird <...>/weird.zeek
 0.000000 | HookLoadFile  base<...>/x509 <...>/x509
 0.000000 | HookLoadFile  base<...>/xmpp <...>/xmpp
diff --git a/testing/btest/Traces/vntag.pcap b/testing/btest/Traces/vntag.pcap
new file mode 100644
index 0000000000..0ac176658d
Binary files /dev/null and b/testing/btest/Traces/vntag.pcap differ
diff --git a/testing/btest/core/vntag.zeek b/testing/btest/core/vntag.zeek
new file mode 100644
index 0000000000..1380fcae98
--- /dev/null
+++ b/testing/btest/core/vntag.zeek
@@ -0,0 +1,4 @@
+# @TEST-EXEC: zeek -C -r $TRACES/vntag.pcap %INPUT
+# @TEST-EXEC: btest-diff unknown_protocols.log
+
+@load policy/misc/unknown-protocols
\ No newline at end of file