How to determine switch/port Info using tcpdump / snoop decoding CDP and/or LLDP packets



This is a handy way to get a lot of info about the switch/port an interface is connected to.



CDP stands for Cisco Discovery Protocol, which is a layer 2 protocol and is used to share information about other directly connected Cisco equipment (WikiPedia).
## ether[20:2] == 0x2000 - Capture only packets that are starting at byte 20, and have a 2 byte value of hex 2000

LLDP stands for Link Layer Discovery Protocol and replaces CDP.
LLDP is a vendor-neutral Data Link Layer protocol used by network devices for advertising of their identity, capabilities and neighbours (WikiPedia).
##tcpdump -i eth0 -s 1500 -XX -c 1 'ether proto 0x88cc'



The folllowing command shows how to use tcpdump if you ever need switch/port info on a linux host assuming you are connected to a Cisco device:

tcpdump -nn -vv -i   -s 1500 -c 1 '(ether[12:2]=0x88cc or ether[20:2]=0x2000)'

Example:



root@arrakis:~# tcpdump -nn -vv -i eth0 -s 1500 -c 1 '(ether[12:2]=0x88cc or ether[20:2]=0x2000)'


tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
11:27:11.578327 CDPv2, ttl: 180s, checksum: 341 (unverified), length 213
    Device-ID (0x01), length: 62 bytes: 'your.cisco.device.com'
    Version String (0x03), length: 237 bytes: 
    Cisco IOS Software, Catalyst AB00 L3 Switch Software (catAB00-blablabla), Version blebleble (wxy) ...bla bla bla bla bla .....
    Platform (0x03), length: 28 bytes: 'cisco AA-B0123'
    Address (0x04), length: 26 bytes: IPv4 (1) 1.2.3.4
    Port-ID (0x06), length: 36 bytes: 'GigabitEthernet1/2'
    Capability (0x08), length: 8 bytes: (0x00000014): L2 Switch, IGMP snooping
    VTP Management Domain (0x03), length: 6 bytes: ''''
    Native VLAN ID (0x0a), length: 6 bytes: 400
    Duplex (0x1b), length: 3 byte: full
    AVVID trust bitmap (0x12), length: 1 byte: 0x00
    AVVID untrusted ports CoS (0x19), length: 1 byte: 0x00
    Management Addresses (0x16), length: 13 bytes: IPv4 (1) 1.2.3.4
    unknown field type (0x1c), length: 12 bytes: 
      0x0000:  0001 0001 1000 0010 eeee eeee
1 packets captured
1 packets received by filter
0 packets dropped by kernel


So this command works almost for everyone out there but, what if you use Solaris instead of Linux?

Here's the command/example:


snoop -v -x0 -d dst 01:00:0c:cc:cc:cc or 01:80:C2:00:00:0E

moadib# snoop -v -x0 -d 
e1000g0  dst 01:00:0c:cc:cc:cc or 01:80:C2:00:00:0E|egrep -i "Port|system"
Using device e1000g0 (promiscuous mode)
LLDP:  Port ID Subtype: 7 (Local)
LLDP:  Port ID: Eth2/3
LLDP:  Port Description: your_port_description
LLDP:  System Name: your.cisco.device.com
LLDP:  System Description: Cisco BliBli Operating System (EE-OS) Software some number here
blablabla...
blebleble...
LLDP:  System Capabilities: ..............


Here's a list table with destination MAC addresses of the supported Layer 2 protocols provided by Juniper that I found here http://www.juniper.net/techpubs/en_US/junos13.2/topics/concept/l2pt-qfx-series.html:

Table 1: Protocol Destination MAC Addresses
Protocol
Ethernet Encapsulation
MAC Address
802.1X
Ether-II
01:80:C2:00:00:03
802.3ah
Ether-II
01:80:C2:00:00:02
Cisco Discovery Protocol (CDP)
SNAP
01:00:0C:CC:CC:CC
Ethernet local management interface (E-LMI)
Ether-II
01:80:C2:00:00:07
MVRP VLAN Registration Protocol (MVRP)
Ether-II
01:80C2:00:00:21
Link Aggregation Control Protocol (LACP)
Ether-II
01:80:C2:00:00:02
Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP)
LLC
01:80:C2:00:00:00
Link Layer Discovery Protocol (LLDP)
Ether-II
01:80:C2:00:00:0E
Multiple MAC Registration Protocol (MMRP)
Ether-II
01:80:C2:00:00:20
Unidirectional Link Detection (UDLD)
SNAP
01:00:0C:CC:CC:CC
VLAN Spanning Tree Protocol (VSTP)
SNAP
01:00:0C:CC:CC:CD
VLAN Trunking Protocol (VTP)
SNAP
01:00:0C:CC:CC:CC

I hope these examples/info help you.
Previous
Next Post »