A couple of years ago, I wrote a short piece about filtering CDP and LLDP packets using Wireshark. Since that time, I have simplified the way that I filter these packets, and based on feedback, and additional use of that information, I wanted to post an update. This will hopefully guide people to the best answer immediately.
CDP sends all packets to the L2 multicast address of 01:00:0C:CC:CC:CC. Therefore, our filter can be:
ether host 01:00:0c:cc:cc:cc
However, VTP (VLAN Trunking Protocol) also sends packets to this address. Since the default timer for VTP is 300 seconds, and the default timer for CDP is 60 seconds, this shouldn’t be an issue. Additionally, since VTP packets are only sent out trunk ports, if you see VTP packets on a port that a user should be connected to, you may have just found your problem.
Link Layer Discovery Protocol, AKA 802.1AB, is an IEEE standard. While Cisco doesn’t support LLDP out of the box, it can be enabled on your Cisco gear. HP, Juniper, Dell, and everyone else that I have ever worked with supports LLDP by default. The L2 multicast address for LLDP is: 01:80:C2:00:00:0E. However, LLDP has the benefit of a unique EtherType. That type is: 0x88cc. Based on that information, we can filter with either:
ether host 01:80:C2:00:00:0E
ether proto 0x88cc
The default timer for LLDP seems to vary across vendors, although 30 seconds is the default for Cisco and quite a few others.
If you are the roving type that walks out to the users desk, Wireshark can be ran as a portable app from a USB device.
Cisco IP Phones
Cisco IP Phones will send out CDP packets onto the PC port. What good does this do? I don’t know. However, hit the webpage hosted on the phone and you can find the CDP and LLDP info on the Network Statistics >Network page.
Embarrassing story time. Like a lot of engineers, I regularly use Wireshark to look at packet captures from other devices. After doing this for months, I needed to use Wireshark on my local LAN port. I started by spending 20 minutes trying to figure out why I wasn’t seeing CDP packets. Of course, once I remembered that I had a local firewall to contend with, I quickly fixed the issue, and haven’t made that mistake since. Don’t make that mistake. Disable the local firewall.
Pingback: Filtering LLDP and CDP packets with Wireshark | It must be the network…
Very much helped indeed. Thanks for posting.
Getting Phones to forward CDP helps for UC or Contact Center applications that need to know to which phone the PC is connected (PCs discover the phone via CDP), Call center recording applications are a good example, Extension mobility auto login is another one.
Good to know Manny. Thanks!
Your previous post had a more complex filter for CDP. This one also catches VTP packets. Would the previous filtering help eliminate VTP packets?
It would, yes. Due to the timers for VTP, I’m not too concerned. You won’t be flooded by packets either way.
> can be ran
Nope. Can be *run*.