Tcpdump is a very powerful Linux command to capture packets. CDP and LLDP protocol can be used to get upstream switch info like vlan id, port info, switch name etc from Linux servers. We can use tcpdump command on Linux to filter these CDP or LLDP packets to get this info.
Table of Contents
What is CDP and LLDP?
CDP stands for Cisco Discovery Protocol, which is a layer 2 protocol and is used to share information about other directly connected Cisco equipment (WikiPedia).
LLDP stands for Link Layer Discovery Protocol and replaces CDP. LLDP is a vendor neutral Data Link Layer protocol used by network devices for advertising of their identity, capabilities and neighbours (WikiPedia).
CDP usually runs on Cisco switches. LLDP is often what you will find running on non-Cisco switches and routers.
This is useful to find out what VLAN your network interface is connected to (assuming that your using tagged VLANS), or what port on uplink switch.
How to use tcpdump to capture CDP or LLDP packet?
# tcpdump -v -s 1500 -c 1 ‘(ether[12:2]=0x88cc or ether[20:2]=0x2000)’
How to use tcpdump to filter CDP packet?
This will often show you the uplink Cisco chassis switch info like the native vlan, port info, device name, serial name etc.
# tcpdump -v -s 1500 -c 1 ‘ether[20:2] == 0x2000’
## -s 1500 capture 1500 bytes of the packet (typical MTU size)
## ether[20:2] == 0x2000 – Capture only packets that are starting at byte 20, and have a 2 byte value of hex 2000
tcpdump: listening on bond0, link-type EN10MB (Ethernet), capture size 1500 bytes
08:50:11.768298 CDPv2, ttl: 180s, checksum: 0xb08a (unverified), length 271
Device-ID (0x01), value length: 40 bytes: ‘test1-demo-sw28b.test.com(FDO2116225P)’
Address (0x02), value length: 13 bytes: IPv4 (1) test1-demo-sw28b.test.com
Port-ID (0x03), value length: 11 bytes: ‘Ethernet1/1’
Capability (0x04), value length: 4 bytes: (0x00000229): Router, L2 Switch, IGMP snooping
Version String (0x05), value length: 66 bytes:
Cisco Nexus Operating System (NX-OS) Software, Version 7.0(3)I6(1)
Platform (0x06), value length: 15 bytes: ‘N9K-C9xx3180YC-EX’
Native VLAN ID (0x0a), value length: 2 bytes: 985
Duplex (0x0b), value length: 1 byte: full
MTU (0x11), value length: 4 bytes: 1500 bytes
System Name (0x14), value length: 17 bytes: ‘test1-demo-sw28b’
System Object ID (not decoded) (0x15), value length: 14 bytes:
0x0000: 060c 2b06 0104 0109 0c03 0103 8e14
Management Addresses (0x16), value length: 13 bytes: IPv4 (1) test1-demo-sw28b.test.com
Physical Location (0x17), value length: 15 bytes: 0x00/test1
How to use tcpdump to capture LLDP packet?
# tcpdump -i eth0 -s 1500 -XX -c 1 ‘ether proto 0x88cc’
tcpdump -nn -v -i p4p2 ether proto 0x88cc
tcpdump: WARNING: p4p2: no IPv4 address assigned
tcpdump: listening on p4p2, link-type EN10MB (Ethernet), capture size 65535 bytes
19:00:12.559556 LLDP, length 218
Chassis ID TLV (1), length 7
Subtype MAC address (4): f4:8e:38:28:b6:89
Port ID TLV (2), length 11
Subtype Interface Name (5): ethernet11
Time to Live TLV (3), length 2: TTL 120s
Port Description TLV (4), length 39: BCF Port ethernet11
System Name TLV (5), length 22: Switch01