Tag Archives: Network Analyzer

Wireshark network mapping – switch and port discovery with CDP (Cisco Discovery Protocol) or LLDP (Link Layer Discovery Protocol)

So you find yourself in a new network. The patch panels are a mess and you have a hard time to find the port and the switch you are connected to.
If this situation sounds familiar to you just head to http://www.wireshark.org/ and download this wonderful network protocol analyzer and lets get started.
After you managed to install Wireshark just fire up a capture session on your connected interface and filter by one of these strings: “cdp.version == 2” or “eth.type == 0x88cc”. As you can imagine the first one works only in Cisco La-La Land. Basically cisco switches send by default at an interval of 60 seconds multicast announcements (CDP packets) on each connected port to the multicast destination address 01-00-0c-cc-cc-cc. Connected devices that understand this protocol will store this information in an internal table that can be accessed via SNMP or Cisco CLI (show cdp neighbors).

The cool thing about this is that after you discover one switch and if the public SNMP community is active and accessible you can basically map not just your direct switch and port but all your surrounding switches. If you are up to it you can build your very own PERL discovery script based on this CPAN module.

Anyway, back to the Wireshark thing. Probably by the and of this article you managed to see those cool Cisco Discovery Protocol packets. In case you did not it means that:

  1. CDP is disabled on the switch  via cli: set cdp disable – but why !!! I wonder ? security ? or worse denial of service ? Get the facts at Cisco CDP vulnerabilty
  2. You are a fast reader and you did not wait more than 1 minute, please wait a little longer
  3. You are poor and don’t have a Cisco switch try the LLDP filter mentioned above
  4. Out of ideas – sorry

 

I will try to post some screenshots after I manage to sell one of my kidneys to buy a Cisco switch. Till then …