Notes and Ramblings

I found the detail on this in the article "Ethereal: Capturing only Cisco Discovery Protocol (CDP) Packets." but it applies directly to tcpdump or windump as well. Ethereal, tcpdump and windump all use the same underlying capabilities of the Berkeley Packet Filter language for filtering packets.
To capture a single CDP packet, type the following at a command-prompt (need root privileges):

tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'

To break that down, we're

• running tcpdump (you can swap for windump if you like)
• not resolving dns or port numbers
• using verbose mode
• on the interface known as eth0
• snagging up to 1500 bytes of the packet
• counting one packet before exiting and (finally)
• checking bytes 20 and 21 from the start of the ethernet header for a value of 2000 (hex)

Now I know the discussion above gives a much longer expression, but in practice, I've never had a non-CDP packet match that 16-bit value.

For reference, the whole expression as presented at the linked page is:
ether[12:2] <= 1500 &&amp;amp;amp; ether[14:2] == 0xAAAA && ether[16:1] == 0x03 && ether[17:2] == 0x0000 && ether[19:1] == 0x0C && ether[20:2] == 0x2000

---

What kind of information can we get from this single packet?

• Hostname of the device
• IP address
• Interface
• IOS Version string
  
• Platform (a.k.a. model number)
• VTP Domain
• Native VLAN
• Duplex
• .. and more ..

Not bad for one packet, eh? With all the expoits against Cisco devices, it's easy to see why Cisco recommends disabling CDP on end-user access ports.