Steve's random ramblings and technical notes

Wednesday, July 20, 2005

Gimp Tutorials - Pixel2life.com

Gimp Tutorials - Pixel2life.com
Tutorials on various effects and basic use of the Gimp - many from GimpTalk.com.

Monday, July 11, 2005

tcpdump filter for capturing only Cisco Discovery Protocol (CDP) Packets

I found the detail on this in the article "Ethereal: Capturing only Cisco Discovery Protocol (CDP) Packets." but it applies directly to tcpdump or windump as well. Ethereal, tcpdump and windump all use the same underlying capabilities of the Berkeley Packet Filter language for filtering packets.
To capture a single CDP packet, type the following at a command-prompt (need root privileges):
tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'
To break that down, we're Now I know the discussion above gives a much longer expression, but in practice, I've never had a non-CDP packet match that 16-bit value.
For reference, the whole expression as presented at the linked page is:
ether[12:2] <= 1500 &&amp;amp;amp; ether[14:2] == 0xAAAA && ether[16:1] == 0x03 && ether[17:2] == 0x0000 && ether[19:1] == 0x0C && ether[20:2] == 0x2000

What kind of information can we get from this single packet?
Not bad for one packet, eh? With all the expoits against Cisco devices, it's easy to see why Cisco recommends disabling CDP on end-user access ports.

This page is powered by Blogger. Isn't yours?