Handy tcpdump Expression to Gather CDP Information
Fri Aug 8th 2008, 12:48pm
This
tcpdump command will sniff for Cisco switches'
Cisco Discovery Protocol
(CDP) packets. It's useful to add to your regular arsenal of pings and traceroutes if
you're working on a system on a foreign network of which you were given little to no
information. Oh, this assumes you have root access of course. Change
eth0
of course to match the network interface(s) you want to examine.
tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'
CDP packets offer some additional insight to the network you're on:
The information contained in CDP announcements varies by the type of device and the
version of the operating system running on it. Information contained includes the
operating system version, hostname, every address for every protocol configured on the
port where CDP frame is sent eg. IP address, the port identifier from which the
announcement was sent, device type and model, duplex setting, VTP domain, native VLAN,
power draw (for Power over Ethernet devices), and other device specific information.
You
tcpdump output might look something like (IP address XX'd out):
14:42:57.087609 CDPv2, ttl: 180s, checksum: 692 (unverified), length 358
Device-ID (0x01), length: 11 bytes: 'Public_DMZ'
Address (0x02), length: 13 bytes: IPv4 (1) XXX.XXX.XX.X
Port-ID (0x03), length: 16 bytes: 'FastEthernet0/21'
Capability (0x04), length: 4 bytes: (0x00000028): L2 Switch,
IGMP snooping
Version String (0x05), length: 220 bytes:
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(12c)EA1,
RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Sun 24-Nov-02 23:31 by antonino
Platform (0x06), length: 21 bytes: 'cisco WS-C2950G-24-EI'
Protocol-Hello option (0x08), length: 32 bytes:
VTP Management Domain (0x09), length: 0 byte: ''
1 packets captured
2 packets received by filter
0 packets dropped by kernel
On Mon Aug 11th 2008, 12:50pm, Oscar posted:
I tried this at my office and it only found my Cisco 7940 Series phone
(which is technically a switch?). This was my output (OS X 10.5.4)
$ sudo tcpdump -nn -v -i en0 -s 1500 -c 1 'ether[20:2] == 0x2000'
tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 1500
bytes
11:46:33.265286 CDPv2, ttl: 180s, checksum: 692 (unverified), length
115
Device-ID (0x01), length: 15 bytes: 'SEPXX146XXXXXXX'
Address (0x02), length: 13 bytes: IPv4 (1) XX.XX.X.XXX
Port-ID (0x03), length: 6 bytes: 'Port 2'
Capability (0x04), length: 4 bytes: (0x00000090): L3 capable
Version String (0x05), length: 12 bytes:
P00307020200
Platform (0x06), length: 19 bytes: 'Cisco IP Phone 7940'
Native VLAN ID (0x0a), length: 2 bytes: 3
Duplex (0x0b), length: 1 byte: full
ATA-186 VoIP VLAN request (0x0e), length: 3 bytes: app 1, vlan 20
1 packets captured
440 packets received by filter
0 packets dropped by kernel
Does this mean that if there are other switches beyond my own switch (in
this case the Cisco phone) I won't see them?
On Mon Aug 11th 2008, 2:05pm, Steve Kehlet posted:
Yup, that's exactly right.
On Wed Aug 27th 2008, 9:49am, Oscar posted:
without some fancy scanning network tool, is there a way to go beyond the
first switch I mentioned?
On Wed Aug 27th 2008, 9:49am, Oscar posted:
without some fancy scanning network tool, is there a way to go beyond the
first switch I mentioned?
On Wed Aug 27th 2008, 9:50am, Oscar posted:
Sorry for the double-post... and quick question... you got any plans to add
a "check to receive follow ups" to comments option on your
site?
On Wed Aug 27th 2008, 10:34am, Steve Kehlet posted:
Cisco switches can mirror remote ports ("remote SPAN"), so you
can see traffic on other switches that way. You'll need administrative
access to all switches in question, of course.
Yeah, I hope to get a whole new blog engine, Really Soon Now :-).
On Wed Aug 12th 2009, 12:24am, Visitor posted:
RE : the phone. Disconnect the phone, plug directly into the wall-outlet.
