Filtering CDP LLDP packets with Tcpdump
Updated: Jun 7
Tcpdump is a very powerful Linux command to capture packets. CDP and LLDP protocol can be used to get upstream switch info like vlan id, port info, switch name etc from Linux servers. We can use tcpdump command on Linux to filter these CDP or LLDP packets to get this info.
What is CDP and LLDP?
CDP stands for Cisco Discovery Protocol, which is a layer 2 protocol and is used to share information about other directly connected Cisco equipment (WikiPedia). LLDP stands for Link Layer Discovery Protocol and replaces CDP. LLDP is a vendor neutral Data Link Layer protocol used by network devices for advertising of their identity, capabilities and neighbours (WikiPedia). CDP usually runs on Cisco switches. LLDP is often what you will find running on non-Cisco switches and routers. This is useful to find out what VLAN your network interface is connected to (assuming that your using tagged VLANS), or what port on uplink switch.
How to use tcpdump to capture CDP or LLDP packet?
# tcpdump -v -s 1500 -c 1 '(ether[12:2]=0x88cc or ether[20:2]=0x2000)'
How to use tcpdump to filter CDP packet?
This will often show you the uplink Cisco chassis switch info like the native vlan, port info, device name, serial name etc.
# tcpdump -v -s 1500 -c 1 'ether[20:2] == 0x2000'
## -s 1500 capture 1500 bytes of the packet (typical MTU size) ## ether[20:2] == 0x2000 - Capture only packets that are starting at byte 20, and have a 2 byte value of hex 2000
tcpdump: listening on bond0, link-type EN10MB (Ethernet), capture size 1500 bytes 08:50:11.768298 CDPv2, ttl: 180s, checksum: 0xb08a (unverified), length 271 Device-ID (0x01), value length: 40 bytes: 'test1-demo-sw28b.test.com(FDO2116225P)' Address (0x02), value length: 13 bytes: IPv4 (1) test1-demo-sw28b.test.com Port-ID (0x03), value length: 11 bytes: 'Ethernet1/1' Capability (0x04), value length: 4 bytes: (0x00000229): Router, L2 Switch, IGMP snooping Version String (0x05), value length: 66 bytes: Cisco Nexus Operating System (NX-OS) Software, Version 7.0(3)I6(1) Platform (0x06), value length: 15 bytes: 'N9K-C9xx3180YC-EX' Native VLAN ID (0x0a), value length: 2 bytes: 985 Duplex (0x0b), value length: 1 byte: full MTU (0x11), value length: 4 bytes: 1500 bytes System Name (0x14), value length: 17 bytes: 'test1-demo-sw28b' System Object ID (not decoded) (0x15), value length: 14 bytes: 0x0000: 060c 2b06 0104 0109 0c03 0103 8e14 Management Addresses (0x16), value length: 13 bytes: IPv4 (1) test1-demo-sw28b.test.com Physical Location (0x17), value length: 15 bytes: 0x00/test1
How to use tcpdump to capture LLDP packet?
# tcpdump -i eth0 -s 1500 -XX -c 1 'ether proto 0x88cc'
tcpdump -nn -v -i p4p2 ether proto 0x88cc tcpdump: WARNING: p4p2: no IPv4 address assigned tcpdump: listening on p4p2, link-type EN10MB (Ethernet), capture size 65535 bytes 19:00:12.559556 LLDP, length 218 Chassis ID TLV (1), length 7 Subtype MAC address (4): f4:8e:38:28:b6:89 Port ID TLV (2), length 11 Subtype Interface Name (5): ethernet11 Time to Live TLV (3), length 2: TTL 120s Port Description TLV (4), length 39: BCF Port ethernet11 System Name TLV (5), length 22: Switch01