Steve's random ramblings and technical notes

Monday, July 11, 2005

tcpdump filter for capturing only Cisco Discovery Protocol (CDP) Packets

I found the detail on this in the article "Ethereal: Capturing only Cisco Discovery Protocol (CDP) Packets." but it applies directly to tcpdump or windump as well. Ethereal, tcpdump and windump all use the same underlying capabilities of the Berkeley Packet Filter language for filtering packets.
To capture a single CDP packet, type the following at a command-prompt (need root privileges):
tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'
To break that down, we're Now I know the discussion above gives a much longer expression, but in practice, I've never had a non-CDP packet match that 16-bit value.
For reference, the whole expression as presented at the linked page is:
ether[12:2] <= 1500 &&amp;amp;amp; ether[14:2] == 0xAAAA && ether[16:1] == 0x03 && ether[17:2] == 0x0000 && ether[19:1] == 0x0C && ether[20:2] == 0x2000

What kind of information can we get from this single packet?
Not bad for one packet, eh? With all the expoits against Cisco devices, it's easy to see why Cisco recommends disabling CDP on end-user access ports.
Comments:
Awesome Tip. Works great, exactly what I needed. Thanks!!
 
I had several other packets matchin the filter in a jboss cluster multicast scenario. I solved it by adding the cisco destination MAC.

tcpdump -nn -v -s 1500 -c 1 'ether[20:2] == 0x2000 and ether dst 01:00:0c:cc:cc:cc'
 
Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?