The end of Movember

So...  I don't own a moustache or a beard so far... but I collaborate at work letting a guy take me a picture with a fake moustache  to support  and help spread the word about what this is.

Seems not enough people gets the idea yet but here we are, trying to let other guys know what is it about and to take care of themselves.




They "encourage" us offering a cup, probably to let us remember the rest of the year that "Movember" it's not just one month and we should visit the doctor just as precaution. It's a very good idea, simple and fun, until next "Movember".

How to determine switch/port Info using tcpdump / snoop decoding CDP and/or LLDP packets



This is a handy way to get a lot of info about the switch/port an interface is connected to.



CDP stands for Cisco Discovery Protocol, which is a layer 2 protocol and is used to share information about other directly connected Cisco equipment (WikiPedia).
## ether[20:2] == 0x2000 - Capture only packets that are starting at byte 20, and have a 2 byte value of hex 2000

LLDP stands for Link Layer Discovery Protocol and replaces CDP.
LLDP is a vendor-neutral Data Link Layer protocol used by network devices for advertising of their identity, capabilities and neighbours (WikiPedia).
##tcpdump -i eth0 -s 1500 -XX -c 1 'ether proto 0x88cc'



The folllowing command shows how to use tcpdump if you ever need switch/port info on a linux host assuming you are connected to a Cisco device:

tcpdump -nn -vv -i   -s 1500 -c 1 '(ether[12:2]=0x88cc or ether[20:2]=0x2000)'

Example:



root@arrakis:~# tcpdump -nn -vv -i eth0 -s 1500 -c 1 '(ether[12:2]=0x88cc or ether[20:2]=0x2000)'


tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
11:27:11.578327 CDPv2, ttl: 180s, checksum: 341 (unverified), length 213
    Device-ID (0x01), length: 62 bytes: 'your.cisco.device.com'
    Version String (0x03), length: 237 bytes: 
    Cisco IOS Software, Catalyst AB00 L3 Switch Software (catAB00-blablabla), Version blebleble (wxy) ...bla bla bla bla bla .....
    Platform (0x03), length: 28 bytes: 'cisco AA-B0123'
    Address (0x04), length: 26 bytes: IPv4 (1) 1.2.3.4
    Port-ID (0x06), length: 36 bytes: 'GigabitEthernet1/2'
    Capability (0x08), length: 8 bytes: (0x00000014): L2 Switch, IGMP snooping
    VTP Management Domain (0x03), length: 6 bytes: ''''
    Native VLAN ID (0x0a), length: 6 bytes: 400
    Duplex (0x1b), length: 3 byte: full
    AVVID trust bitmap (0x12), length: 1 byte: 0x00
    AVVID untrusted ports CoS (0x19), length: 1 byte: 0x00
    Management Addresses (0x16), length: 13 bytes: IPv4 (1) 1.2.3.4
    unknown field type (0x1c), length: 12 bytes: 
      0x0000:  0001 0001 1000 0010 eeee eeee
1 packets captured
1 packets received by filter
0 packets dropped by kernel


So this command works almost for everyone out there but, what if you use Solaris instead of Linux?

Here's the command/example:


snoop -v -x0 -d dst 01:00:0c:cc:cc:cc or 01:80:C2:00:00:0E

moadib# snoop -v -x0 -d 
e1000g0  dst 01:00:0c:cc:cc:cc or 01:80:C2:00:00:0E|egrep -i "Port|system"
Using device e1000g0 (promiscuous mode)
LLDP:  Port ID Subtype: 7 (Local)
LLDP:  Port ID: Eth2/3
LLDP:  Port Description: your_port_description
LLDP:  System Name: your.cisco.device.com
LLDP:  System Description: Cisco BliBli Operating System (EE-OS) Software some number here
blablabla...
blebleble...
LLDP:  System Capabilities: ..............


Here's a list table with destination MAC addresses of the supported Layer 2 protocols provided by Juniper that I found here http://www.juniper.net/techpubs/en_US/junos13.2/topics/concept/l2pt-qfx-series.html:

Table 1: Protocol Destination MAC Addresses
Protocol
Ethernet Encapsulation
MAC Address
802.1X
Ether-II
01:80:C2:00:00:03
802.3ah
Ether-II
01:80:C2:00:00:02
Cisco Discovery Protocol (CDP)
SNAP
01:00:0C:CC:CC:CC
Ethernet local management interface (E-LMI)
Ether-II
01:80:C2:00:00:07
MVRP VLAN Registration Protocol (MVRP)
Ether-II
01:80C2:00:00:21
Link Aggregation Control Protocol (LACP)
Ether-II
01:80:C2:00:00:02
Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP)
LLC
01:80:C2:00:00:00
Link Layer Discovery Protocol (LLDP)
Ether-II
01:80:C2:00:00:0E
Multiple MAC Registration Protocol (MMRP)
Ether-II
01:80:C2:00:00:20
Unidirectional Link Detection (UDLD)
SNAP
01:00:0C:CC:CC:CC
VLAN Spanning Tree Protocol (VSTP)
SNAP
01:00:0C:CC:CC:CD
VLAN Trunking Protocol (VTP)
SNAP
01:00:0C:CC:CC:CC

I hope these examples/info help you.
// Cookie consent