Filtering LLDP and CDP packets with Wireshark

I have written an update to this post, which can be found here. It has better information, better filters, and a better attitude.

We’ve all seen the picture of the IDF which looks like a tornado has ripped through it, with cables hanging everywhere. Generally there are two reactions. The type A people in the room shudder and wonder how anyone could work in that environment. The type B people shrug, and think about all of the ways that it could be worse.

Sadly, we don’t always have control of the cable management in the places we work. Whether it is a customer’s site, or we have managers that don’t care about organization, we will eventually find ourselves entangled in cable, trying to trace a wire from patch-panel to switch.

What if it was easier than that? Anyone who has ever had the pleasure of using a Fluke Optiview, knows that it happily displays CDP info right there on the home screen. The problem there exist when management sees the price point of a Fluke Optiview and begins laughing uncontrollably. There is a better cheaper way though!

With the proper Wireshark filters, it’s quite easy to find the port ID using either CDP or LLDP for those non-Cisco devices.

The best CDP Wireshark filter that I have found and used for years is this:

ether[12:2] <= 1500 && ether[14:2] == 0xAAAA && ether[16:1] == 0x03 && ether[17:2] == 0x0000 && ether[19:1] == 0x0C && ether[20:2] == 0x2000

Sadly, I don’t remember where I found this, to give credit, it was a long time ago.

For LLDP, I’ve found a much simpler capture filter that seems to work well:

ether proto 0x88cc

Yes, that is it. I found this on Wireshark’s website.

Hopefully, this will help you like it has helped me to identify ports without doing the IDF Tango.

4 thoughts on “Filtering LLDP and CDP packets with Wireshark

  1. I’m not sure what other info you might be interested in (capture-wise) but the following has always worked for me as a capture filter that only shows CDP:
    ether host 01:00:0c:cc:cc:cc

    As a post-capture filter, you can always type ‘cdp’ in the expression window as well.

    Full disclosure: These came from here: 🙂

  2. Pingback: Wireshark: Capture CDP and LLDP | It must be the network…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s