Skip to Content

Filtering CDP LLDP packets with Tcpdump

Tcpdump is a very powerful Linux command to capture packets. CDP and LLDP protocol can be used to get upstream switch info like vlan id, port info, switch name etc from Linux servers. We can use tcpdump command on Linux to filter these CDP or LLDP packets to get this info.

What is CDP and LLDP?

CDP stands for Cisco Discovery Protocol, which is a layer 2 protocol and is used to share information about other directly connected Cisco equipment (WikiPedia).
LLDP stands for Link Layer Discovery Protocol and replaces CDP. LLDP is a vendor neutral Data Link Layer protocol used by network devices for advertising of their identity, capabilities and neighbours (WikiPedia).
CDP usually runs on Cisco switches. LLDP is often what you will find running on non-Cisco switches and routers.
This is useful to find out what VLAN your network interface is connected to (assuming that your using tagged VLANS), or what port on uplink switch.

Get Your Free Linux training!

Join our free Linux training and discover the power of open-source technology. Enhance your skills and boost your career! Learn Linux for Free!

How to use tcpdump to capture CDP or LLDP packet?

# tcpdump -v -s 1500 -c 1 ‘(ether[12:2]=0x88cc or ether[20:2]=0x2000)’

How to use tcpdump to filter CDP packet?

This will often show you the uplink Cisco chassis switch info like the native vlan, port info, device name, serial name etc.

# tcpdump -v -s 1500 -c 1 ‘ether[20:2] == 0x2000’

## -s 1500 capture 1500 bytes of the packet (typical MTU size)
## ether[20:2] == 0x2000 – Capture only packets that are starting at byte 20, and have a 2 byte value of hex 2000

output:

tcpdump: listening on bond0, link-type EN10MB (Ethernet), capture size 1500 bytes
08:50:11.768298 CDPv2, ttl: 180s, checksum: 0xb08a (unverified), length 271
    Device-ID (0x01), value length: 40 bytes: ‘test1-demo-sw28b.test.com(FDO2116225P)’
    Address (0x02), value length: 13 bytes: IPv4 (1) test1-demo-sw28b.test.com
    Port-ID (0x03), value length: 11 bytes: ‘Ethernet1/1’
    Capability (0x04), value length: 4 bytes: (0x00000229): Router, L2 Switch, IGMP snooping
    Version String (0x05), value length: 66 bytes: 
      Cisco Nexus Operating System (NX-OS) Software, Version 7.0(3)I6(1)
    Platform (0x06), value length: 15 bytes: ‘N9K-C9xx3180YC-EX’
    Native VLAN ID (0x0a), value length: 2 bytes: 985
    Duplex (0x0b), value length: 1 byte: full
    MTU (0x11), value length: 4 bytes: 1500 bytes
    System Name (0x14), value length: 17 bytes: ‘test1-demo-sw28b’
    System Object ID (not decoded) (0x15), value length: 14 bytes: 
      0x0000:  060c 2b06 0104 0109 0c03 0103 8e14
    Management Addresses (0x16), value length: 13 bytes: IPv4 (1) test1-demo-sw28b.test.com
    Physical Location (0x17), value length: 15 bytes: 0x00/test1

How to use tcpdump to capture LLDP packet?

# tcpdump -i eth0 -s 1500 -XX -c 1 ‘ether proto 0x88cc’

output:

tcpdump -nn -v -i p4p2 ether proto 0x88cc
tcpdump: WARNING: p4p2: no IPv4 address assigned
tcpdump: listening on p4p2, link-type EN10MB (Ethernet), capture size 65535 bytes
19:00:12.559556 LLDP, length 218
Chassis ID TLV (1), length 7
Subtype MAC address (4): f4:8e:38:28:b6:89
Port ID TLV (2), length 11
Subtype Interface Name (5): ethernet11
Time to Live TLV (3), length 2: TTL 120s
Port Description TLV (4), length 39: BCF Port ethernet11
System Name TLV (5), length 22: Switch01

Related post:

10 Useful Linux tcpdump command examples

20 Advanced Tcpdump Examples On Linux

Linux Tcpdump: Filter ipv6 ntp ping packets