Handy tcpdump Expression to Gather CDP Information
Fri Aug 8th 2008, 12:48pm
This tcpdump command will sniff for Cisco switches' Cisco Discovery Protocol (CDP) packets. It's useful to add to your regular arsenal of pings and traceroutes if you're working on a system on a foreign network of which you were given little to no information. Oh, this assumes you have root access of course. Change eth0 of course to match the network interface(s) you want to examine.

tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'

CDP packets offer some additional insight to the network you're on:
The information contained in CDP announcements varies by the type of device and the version of the operating system running on it. Information contained includes the operating system version, hostname, every address for every protocol configured on the port where CDP frame is sent eg. IP address, the port identifier from which the announcement was sent, device type and model, duplex setting, VTP domain, native VLAN, power draw (for Power over Ethernet devices), and other device specific information.
You tcpdump output might look something like (IP address XX'd out):
14:42:57.087609 CDPv2, ttl: 180s, checksum: 692 (unverified), length 358
      Device-ID (0x01), length: 11 bytes: 'Public_DMZ'
      Address (0x02), length: 13 bytes: IPv4 (1) XXX.XXX.XX.X
      Port-ID (0x03), length: 16 bytes: 'FastEthernet0/21'
      Capability (0x04), length: 4 bytes: (0x00000028): L2 Switch,
IGMP snooping
      Version String (0x05), length: 220 bytes:
        Cisco Internetwork Operating System Software
        IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(12c)EA1,
RELEASE SOFTWARE (fc1)
        Copyright (c) 1986-2002 by cisco Systems, Inc.
        Compiled Sun 24-Nov-02 23:31 by antonino
      Platform (0x06), length: 21 bytes: 'cisco WS-C2950G-24-EI'
      Protocol-Hello option (0x08), length: 32 bytes:
      VTP Management Domain (0x09), length: 0 byte: ''
1 packets captured
2 packets received by filter
0 packets dropped by kernel



Visitor comments
On Mon Aug 11th 2008, 12:50pm, Oscar posted:
I tried this at my office and it only found my Cisco 7940 Series phone (which is technically a switch?). This was my output (OS X 10.5.4)

$ sudo tcpdump -nn -v -i en0 -s 1500 -c 1 'ether[20:2] == 0x2000'

tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 1500 bytes
11:46:33.265286 CDPv2, ttl: 180s, checksum: 692 (unverified), length 115
Device-ID (0x01), length: 15 bytes: 'SEPXX146XXXXXXX'
Address (0x02), length: 13 bytes: IPv4 (1) XX.XX.X.XXX
Port-ID (0x03), length: 6 bytes: 'Port 2'
Capability (0x04), length: 4 bytes: (0x00000090): L3 capable
Version String (0x05), length: 12 bytes:
P00307020200
Platform (0x06), length: 19 bytes: 'Cisco IP Phone 7940'
Native VLAN ID (0x0a), length: 2 bytes: 3
Duplex (0x0b), length: 1 byte: full
ATA-186 VoIP VLAN request (0x0e), length: 3 bytes: app 1, vlan 20
1 packets captured
440 packets received by filter
0 packets dropped by kernel

Does this mean that if there are other switches beyond my own switch (in this case the Cisco phone) I won't see them?



On Mon Aug 11th 2008, 2:05pm, Steve Kehlet posted:
Yup, that's exactly right.


On Wed Aug 27th 2008, 9:49am, Oscar posted:
without some fancy scanning network tool, is there a way to go beyond the first switch I mentioned?


On Wed Aug 27th 2008, 9:49am, Oscar posted:
without some fancy scanning network tool, is there a way to go beyond the first switch I mentioned?


On Wed Aug 27th 2008, 9:50am, Oscar posted:
Sorry for the double-post... and quick question... you got any plans to add a "check to receive follow ups" to comments option on your site?


On Wed Aug 27th 2008, 10:34am, Steve Kehlet posted:
Cisco switches can mirror remote ports ("remote SPAN"), so you can see traffic on other switches that way. You'll need administrative access to all switches in question, of course.

Yeah, I hope to get a whole new blog engine, Really Soon Now :-).




On Wed Aug 12th 2009, 12:24am, Visitor posted:
RE : the phone. Disconnect the phone, plug directly into the wall-outlet.


On Tue Jul 6th 2010, 11:35am, Visitor posted:
any way to do this with bonded interfaces to see where the physicals are connected?


On Fri Mar 11th 2011, 12:21am, d posted:
Late response, but, to the previous visitor... From Steve's example above, replace eth0 with bond0 (or whichever bond interface you want) and -c 1 with -c <number of bonded interfaces> and away you go, you capture one cdp packet per interface.


On Thu May 19th 2011, 3:13pm, -gre posted:
... unless of course, the bond is active/passive, in which case you have to fail over the bond and capture twice, i.e.

ifenslave -c bond0 <slave if 1>
tcpdump ...
ifenslave -c bond0 <slave if 2>
tcpdump ...



On Tue Oct 15th 2013, 7:59pm, Visitor posted:
responding to the last comment: or you can just individually tcpdump on each of the bonds' slaves.