Using tcpdump to decode CDP or LLDP packets

CDP stands for Cisco Discovery Protocol, which is a layer 2 protocol and is used to share information about other directly connected Cisco equipment (WikiPedia).

LLDP stands for Link Layer Discovery Protocol and replaces CDP.

LLDP is a vendor-neutral Data Link Layer protocol used by network devices for advertising of their identity, capabilities and neighbours (WikiPedia).

This is useful to find out what VLAN your network interface is connected to (assuming that your using tagged VLANS), or what port am I plugged into on which switch.

CDP

## This will often show you the Cisco chassis switch, then use your firms asset management software to find the upstream switch.
## -s 1500 capture 1500 bytes of the packet (typical MTU size)
## ether[20:2] == 0x2000 - Capture only packets that are starting at byte 20, and have a 2 byte value of hex 2000 

# tcpdump -v -s 1500 -c 1 'ether[20:2] == 0x2000'
..
Device-ID (0x01), length: 28 bytes: 'cs1009-xd1.change.net'
..

LLDP

## Switch:
# tcpdump -i eth0 -s 1500 -XX -c 1 'ether proto 0x88cc'

## Port and CDP Neighbor Info:
# tcpdump -v -s 1500 -c 1 '(ether[12:2]=0x88cc or ether[20:2]=0x2000)'

Further reading :
http://en.wikipedia.org/wiki/Cisco_Discovery_Protocol
http://en.wikipedia.org/wiki/Link_Layer_Discovery_Protocol

Advertisements
This entry was posted in linux. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s