I have written an update to this post, which can be found here. It has better information, better filters, and a better attitude.

We’ve all seen the picture of the IDF which looks like a tornado has ripped through it, with cables hanging everywhere. Generally there are two reactions. The type A people in the room shudder and wonder how anyone could work in that environment. The type B people shrug, and think about all of the ways that it could be worse.

Sadly, we don’t always have control of the cable management in the places we work. Whether it is a customer’s site, or we have managers that don’t care about organization, we will eventually find ourselves entangled in cable, trying to trace a wire from patch-panel to switch.

What if it was easier than that? Anyone who has ever had the pleasure of using a Fluke Optiview, knows that it happily displays CDP info right there on the home screen. The problem there exist when management sees the price point of a Fluke Optiview and begins laughing uncontrollably. There is a better cheaper way though!

With the proper Wireshark filters, it’s quite easy to find the port ID using either CDP or LLDP for those non-Cisco devices.

The best CDP Wireshark filter that I have found and used for years is this:

ether[12:2] <= 1500 && ether[14:2] == 0xAAAA && ether[16:1] == 0x03 && ether[17:2] == 0x0000 && ether[19:1] == 0x0C && ether[20:2] == 0x2000

Sadly, I don’t remember where I found this, to give credit, it was a long time ago.

For LLDP, I’ve found a much simpler capture filter that seems to work well:

ether proto 0x88cc

Yes, that is it. I found this on Wireshark’s website.

Hopefully, this will help you like it has helped me to identify ports without doing the IDF Tango.