Tag Archives: network statistics

Wireshark: Capture CDP and LLDP

Posted on by
7

A couple of years ago, I wrote a short piece about filtering CDP and LLDP packets using Wireshark. Since that time, I have simplified the way that I filter these packets, and based on feedback, and additional use of that information, I wanted to post an update. This will hopefully guide people to the best answer immediately. 

CDP

CDP sends all packets to the L2 multicast address of 01:00:0C:CC:CC:CC. Therefore, our filter can be:

ether host 01:00:0c:cc:cc:cc

However, VTP (VLAN Trunking Protocol) also sends packets to this address. Since the default timer for VTP is 300 seconds, and the default timer for CDP is 60 seconds, this shouldn’t be an issue. Additionally, since VTP packets are only sent out trunk ports, if you see VTP packets on a port that a user should be connected to, you may have just found your problem.

 LLDP

Link Layer Discovery Protocol, AKA 802.1AB, is an IEEE standard. While Cisco doesn’t support LLDP out of the box, it can be enabled on your Cisco gear. HP, Juniper, Dell, and everyone else that I have ever worked with supports LLDP by default. The L2 multicast address for LLDP is: 01:80:C2:00:00:0E. However, LLDP has the benefit of a unique EtherType. That type is: 0x88cc. Based on that information, we can filter with either:

ether host 01:80:C2:00:00:0E

OR

ether proto 0x88cc

The default timer for LLDP seems to vary across vendors, although 30 seconds is the default for Cisco and quite a few others.

Wireshark Portable

If you are the roving type that walks out to the users desk, Wireshark can be ran as a portable app from a USB device.

Cisco IP Phones

Cisco IP Phones will send out CDP packets onto the PC port. What good does this do? I don’t know. However, hit the webpage hosted on the phone and you can find the CDP and LLDP info on the Network Statistics >Network page.

Firewalls

Embarrassing story time. Like a lot of engineers, I regularly use Wireshark to look at packet captures from other devices. After doing this for months, I needed to use Wireshark on my local LAN port. I started by spending 20 minutes trying to figure out why I wasn’t seeing CDP packets. Of course, once I remembered that I had a local firewall to contend with, I quickly fixed the issue, and haven’t made that mistake since. Don’t make that mistake. Disable the local firewall.