tcpdump & tshark ile CDP paketleri

Posted on January 6, 2009 by Huzeyfe ONAL

CDP Cisco cihazlarin kendilerini tanitmalari/tanimalari icin kullandiklari bir protokoldur. CDP paketleri multicast yayilma gosterirler ve agda bulunan herhangi birisi bu paketleri dinleyerek calisan sistemler hakkinda detayli bilgi edinebilir.

CDP ile bir Cisco sisteme ait Cihazin host adresi, IP Adresi, Interface bilgileri, Detaylı IOS bilgisi, Platform bilgisi, VTP domain ismi vs gibi bilgiler alinabilir. CDP paketlerini tcpdump, tshark ya da benzeri bir sniffer/ag dinleyici bir programla yakalayabilirsiniz.

#tcpdump -nn -v -i rl0 -s 1500 -c 1 ‘ether[20:2] == 0x2000’

11:47:05.413153 CDPv2, ttl: 180s, checksum: 692 (unverified), length 364
Device-ID (0x01), length: 8 bytes: ‘3548-700’
Address (0x02), length: 13 bytes: IPv4 (1) 2.1.94.2
Port-ID (0x03), length: 16 bytes: ‘FastEthernet0/23’
Capability (0x04), length: 4 bytes: (0x0000000a): Transparent Bridge, L2 Switch
Version String (0x05), length: 231 bytes:
Cisco Internetwork Operating System Software
IOS ™ C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5.3)WC(1), MAINTENANCE INTERIM SOFTWARE
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Mon 30-Apr-01 07:51 by devgoyal
Platform (0x06), length: 17 bytes: ‘cisco WS-C3548-XL’
Protocol-Hello option (0x08), length: 32 bytes:
VTP Management Domain (0x09), length: 7 bytes: ‘aaabbbcccx’

Tshark ile gorunumu daha aciklayici ciktilar elde edebilirsiniz.

bt ~ # tshark -i eth1 -V -f “ether host 01:00:0c:cc:cc:cc”
Cisco Discovery Protocol
Version: 2
TTL: 180 seconds
Checksum: 0xd50d [incorrect, should be 0xd60b]
[Good: False]
[Bad : True]
Device ID: SMG1117N0XW(x9-User)
Type: Device ID (0x0001)
Length: 33
Device ID: SMG1117N0XW(Kx-User)
Addresses
Type: Addresses (0x0002)
Length: 17
Number of addresses: 1
IP address: x.x.x.x.
Protocol type: NLPID
Protocol length: 1
Protocol: IP
Address length: 4
IP address: x.x.x.x
Port ID: 9/11
Type: Port ID (0x0003)
Length: 8
Sent through Interface: x/11
Capabilities
Type: Capabilities (0x0004)
Length: 8
Capabilities: 0x0000002a
…. …. …. …. …. …. …. …0 = Not a Router
…. …. …. …. …. …. …. ..1. = Is  a Transparent Bridge
…. …. …. …. …. …. …. .0.. = Not a Source Route Bridge
…. …. …. …. …. …. …. 1… = Is  a Switch
…. …. …. …. …. …. …0 …. = Not a Host
…. …. …. …. …. …. ..1. …. = Is  IGMP capable
…. …. …. …. …. …. .0.. …. = Not a Repeater
Software Version
Type: Software version (0x0005)
Length: 102
Software Version: WS-C6509-E Software, Version McpSW: 8.5(8) NmpSW: 8.5(8)
Copyright (c) 1995-2006 by Cisco Systems
Platform: WS-C6509-E
Type: Platform (0x0006)
Length: 14
Platform: WS-C6509-E
VTP Management Domain:
Type: VTP Management Domain (0x0009)
Length: 4
VTP Management Domain:
Native VLAN: x
Type: Native VLAN (0x000a)
Length: 6
Native VLAN: x
Duplex: Full
Type: Duplex (0x000b)
Length: 5
Duplex: Full
VoIP VLAN Reply: xxx
Type: VoIP VLAN Reply (0x000e)
Length: 7
Data
Voice VLAN:xxx
Trust Bitmap: 0x00
Type: Trust Bitmap (0x0012)
Length: 5
Trust Bitmap: 00
Untrusted port CoS: 0x00
Type: Untrusted Port CoS (0x0013)
Length: 5
Untrusted port CoS: 00
System Name: x.x.x.x
Type: System Name (0x0014)
Length: 20
System Name: x.x.x.x
System Object Identifier
Type: System Object ID (0x0015)
Length: 14
System Object Identifier: 06082B0601040109052C
Management Addresses
Type: Management Address (0x0016)
Length: 17
Number of addresses: 1
IP address: x.x.x.x
Protocol type: NLPID
Protocol length: 1
Protocol: IP
Address length: 4
IP address: x.x.x.x
Location: x.x.x.x
Type: Location (0x0017)
Length: 20
UNKNOWN: 0x00
Location: x.x.x.x
Power Available: 7000 mW, 4294967295 mW
Type: Power Available (0x001a)
Length: 16
Request-ID: 0
Management-ID: 1
Power Available: 7000 mW
Power Available: 4294967295 mW

Frame 12 (327 bytes on wire, 327 bytes captured)
Arrival Time: Jan  6, 2009 11:09:47.458170000
[Time delta from previous captured frame: 60.087622000 seconds]
[Time delta from previous displayed frame: 60.087622000 seconds]
[Time since reference or first frame: 661.176321000 seconds]
Frame Number: 12
Frame Length: 327 bytes
Capture Length: 327 bytes
[Frame is marked: False]
[Protocols in frame: eth:llc:cdp:data]
IEEE 802.3 Ethernet
Destination: CDP/VTP/DTP/PAgP/UDLD (01:00:0c:cc:cc:cc)
Address: CDP/VTP/DTP/PAgP/UDLD (01:00:0c:cc:cc:cc)
…. …1 …. …. …. …. = IG bit: Group address (multicast/broadcast)
…. ..0. …. …. …. …. = LG bit: Globally unique address (factory default)
Source: Cisco_:3e (00:1b:53::3e)
Address: Cisco_40:17:3e (00:1b:53:40:17:3e)
…. …0 …. …. …. …. = IG bit: Individual address (unicast)
…. ..0. …. …. …. …. = LG bit: Globally unique address (factory default)
Length: 313
Logical-Link Control
DSAP: SNAP (0xaa)
IG Bit: Individual
SSAP: SNAP (0xaa)
CR Bit: Command
Control field: U, func=UI (0x03)
000. 00.. = Command: Unnumbered Information (0x00)
…. ..11 = Frame type: Unnumbered frame (0x03)
Organization Code: Cisco (0x00000c)
PID: CDP (0x2000)

Related posts:

  1. DDOS analizinde tcpdump kullanımı
  2. Nemesis kullanarak TCP/IP Paketleri ile oynamak
  3. Thsark ile TCP/IP Paket Analizi
  4. Scapy Calismalari-III [Paket Dinleyicileri Belirleme]
  5. tcpdump ile pasif isletim sistemi saptama

This entry was posted in Cisco and tagged , , . Bookmark the permalink.

1 Response to tcpdump & tshark ile CDP paketleri

  1. zayıflama says:
    March 26, 2009 at 8:18 pm

    Good article. Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *

20 + 2 =