How to determine switch/port Info using tcpdump / snoop decoding CDP and/or LLDP packets

This is a handy way to get a lot of info about the switch/port an interface is connected to.

CDP stands for Cisco Discovery Protocol, which is a layer 2 protocol and is used to share information about other directly connected Cisco equipment (WikiPedia).

## ether[20:2] == 0x2000 - Capture only packets that are starting at byte 20, and have a 2 byte value of hex 2000

LLDP stands for Link Layer Discovery Protocol and replaces CDP.

LLDP is a vendor-neutral Data Link Layer protocol used by network devices for advertising of their identity, capabilities and neighbours (WikiPedia).

##tcpdump -i eth0 -s 1500 -XX -c 1 'ether proto 0x88cc'

The folllowing command shows how to use tcpdump if you ever need switch/port info on a linux host assuming you are connected to a Cisco device:

tcpdump -nn -vv -i   -s 1500 -c 1 '(ether[12:2]=0x88cc or ether[20:2]=0x2000)'

Example:

root@arrakis:~# tcpdump -nn -vv -i eth0 -s 1500 -c 1 '(ether[12:2]=0x88cc or ether[20:2]=0x2000)'

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes

11:27:11.578327 CDPv2, ttl: 180s, checksum: 341 (unverified), length 213

    Device-ID (0x01), length: 62 bytes: 'your.cisco.device.com'

    Version String (0x03), length: 237 bytes: 

    Cisco IOS Software, Catalyst AB00 L3 Switch Software (catAB00-blablabla), Version blebleble (wxy) ...bla bla bla bla bla .....

    Platform (0x03), length: 28 bytes: 'cisco AA-B0123'

    Address (0x04), length: 26 bytes: IPv4 (1) 1.2.3.4

    Port-ID (0x06), length: 36 bytes: 'GigabitEthernet1/2'

    Capability (0x08), length: 8 bytes: (0x00000014): L2 Switch, IGMP snooping

    VTP Management Domain (0x03), length: 6 bytes: ''''

    Native VLAN ID (0x0a), length: 6 bytes: 400

    Duplex (0x1b), length: 3 byte: full

    AVVID trust bitmap (0x12), length: 1 byte: 0x00

    AVVID untrusted ports CoS (0x19), length: 1 byte: 0x00

    Management Addresses (0x16), length: 13 bytes: IPv4 (1) 1.2.3.4

    unknown field type (0x1c), length: 12 bytes: 

      0x0000:  0001 0001 1000 0010 eeee eeee

1 packets captured

1 packets received by filter

0 packets dropped by kernel

So this command works almost for everyone out there but, what if you use Solaris instead of Linux?

Here's the command/example:

snoop -v -x0 -d dst 01:00:0c:cc:cc:cc or 01:80:C2:00:00:0E

moadib# snoop -v -x0 -d e1000g0  dst 01:00:0c:cc:cc:cc or 01:80:C2:00:00:0E|egrep -i "Port|system"

Using device e1000g0 (promiscuous mode)

LLDP:  Port ID Subtype: 7 (Local)
LLDP:  Port ID: Eth2/3
LLDP:  Port Description: your_port_description
LLDP:  System Name: your.cisco.device.com
LLDP:  System Description: Cisco BliBli Operating System (EE-OS) Software some number here
blablabla...
blebleble... LLDP:  System Capabilities: ..............

Here's a list table with destination MAC addresses of the supported Layer 2 protocols provided by Juniper that I found here http://www.juniper.net/techpubs/en_US/junos13.2/topics/concept/l2pt-qfx-series.html:

Table 1: Protocol Destination MAC Addresses

Protocol	Ethernet Encapsulation	MAC Address
802.1X	Ether-II	01:80:C2:00:00:03
802.3ah	Ether-II	01:80:C2:00:00:02
Cisco Discovery Protocol (CDP)	SNAP	01:00:0C:CC:CC:CC
Ethernet local management interface (E-LMI)	Ether-II	01:80:C2:00:00:07
MVRP VLAN Registration Protocol (MVRP)	Ether-II	01:80C2:00:00:21
Link Aggregation Control Protocol (LACP)	Ether-II	01:80:C2:00:00:02
Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP)	LLC	01:80:C2:00:00:00
Link Layer Discovery Protocol (LLDP)	Ether-II	01:80:C2:00:00:0E
Multiple MAC Registration Protocol (MMRP)	Ether-II	01:80:C2:00:00:20
Unidirectional Link Detection (UDLD)	SNAP	01:00:0C:CC:CC:CC
VLAN Spanning Tree Protocol (VSTP)	SNAP	01:00:0C:CC:CC:CD
VLAN Trunking Protocol (VTP)	SNAP	01:00:0C:CC:CC:CC

I hope these examples/info help you.