tcpdumpservice-discovery

How to detect CDP by tcpdump

I would like to ask you for help: Does somebody know how to detect Cisco Discovery Protocol via tcpdump?

Currently I'm using following command, but I'm not sure by this:

tcpdump -i eth0 -nn "ether[20:2]==0x2000"

Some hints are appreciated. Thank you ...

Charkh

Solution

  • I normally use this filters

    tcpdump -nvi bce0 -s 1500 ether dst 01:00:0c:cc:cc:cc

    replace bce0 with your network interface.

    This will output the hole CDP information, received from ether the switch or the host itself (if you have a cdpd running on the host)

    This will output Switch-Name, Port, Switch Type, Software, VLAN and so on...

    the output will look similar to this:

    $tcpdump -nvi bce0 -s 1500 ether dst 01:00:0c:cc:cc:cc
tcpdump: WARNING: bce0: no IPv4 address assigned
tcpdump: listening on bce0, link-type EN10MB (Ethernet), capture size 1500 bytes
11:43:24.327197 DTPv1, length 39
    Domain TLV (0x0001) TLV, length 18, domain-internal
    Status TLV (0x0002) TLV, length 5, 0x81
    DTP type TLV (0x0003) TLV, length 5, 0xa5
    Neighbor TLV (0x0004) TLV, length 10, 6c:50:4d:06:64:01
11:43:44.820865 CDPv2, ttl: 180s, checksum: 692 (unverified), length 477
    Device-ID (0x01), length: 40 bytes: 'my-switch.mydomain.net'
    Version String (0x05), length: 247 bytes:
      Cisco IOS Software, CBS30X0 Software (CBS30X0-IPBASEK9-M), Version 12.2(58)SE1, RELEASE SOFTWARE (fc1)
      Technical Support: http://www.cisco.com/techsupport
      Copyright (c) 1986-2011 by Cisco Systems, Inc.
      Compiled Thu 05-May-11 03:57 by prod_rel_team
    Platform (0x06), length: 20 bytes: 'cisco WS-CBS3020-HPQ'
    Address (0x02), length: 13 bytes: IPv4 (1) 1.2.3.4
    Port-ID (0x03), length: 18 bytes: 'GigabitEthernet0/1'
    Capability (0x04), length: 4 bytes: (0x00000028): L2 Switch, IGMP snooping
    Protocol-Hello option (0x08), length: 32 bytes:
    VTP Management Domain (0x09), length: 13 bytes: 'doman-internal'
    Native VLAN ID (0x0a), length: 2 bytes: 358
    Duplex (0x0b), length: 1 byte: full
    AVVID trust bitmap (0x12), length: 1 byte: 0x00
    AVVID untrusted ports CoS (0x13), length: 1 byte: 0x00
    Management Addresses (0x16), length: 13 bytes: IPv4 (1) [IP]
    unknown field type (0x1a), length: 12 bytes:
      0x0000:  0000 0001 0000 0000 ffff ffff