Discover the Switch Port to which the Server is Connected
A previous article, Advanced Linux Networking Tools, covered the basic usage of tcpdump and tshark to discover switch ports on a Cisco switch, but there are times a system may be connected to a different brand, or using a different protocol. Also, wireshark is not always installed, so relying on tshark is not always the most convenient way to get the required info.
By default, Cisco uses a proprietary method of communication between switches and routers called Cisco Discovery Protocol (CDP). There is another protocol called Link Layer Discovery Protocol (LLDP), which used by other brands, so it is useful to list other options.
Cisco Discovery Protocol (CDP)
YOUR_INTERFACE=eth0
tcpdump -n -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'
Link Layer Discovery Protocol (LLDP)
YOUR_INTERFACE=eth0
tcpdump -v -s 1500 -c 1 -i $YOUR_INTERFACE '(ether[12:2]=0x88cc)'
tcpdump -v -s 1500 -c 1 -i $YOUR_INTERFACE '(ether[12:2]=0x88cc)' and ether dst 01:80:c2:00:00:0e
sudo tcpdump -nv -c 1 -s 1500 -w /tmp/pkt1.cap -i bond1 '(ether[12:2]=0x88cc)'
sudo tshark -V -r /tmp/pkt1.cap
Check LLDP on eth0
sudo tcpdump -nv -c 1 -i eth0 -s 1500 -w /tmp/pkt0.cap '(ether[12:2]=0x88cc)';sudo tshark -V -r /tmp/pkt0.cap
Limit Results by using egrep
sudo tcpdump -nv -c 1 -i eth0 -s 1500 -w /tmp/pkt0.cap '(ether[12:2]=0x88cc)';sudo tshark -V -r /tmp/pkt0.cap | egrep -i "Chassis Id: | Port Id: | System Name = |port Description ="
CDP
sudo tcpdump -n -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'
sudo tcpdump -n -v -i bond1 -s 1500 -c 1 'ether[20:2] == 0x2000'
LLDP
sudo tcpdump -nv -c 1 -i eth0 -s 1500 '(ether[12:2]=0x88cc)'
Sometimes, a little patience is required. After all, tcpdump is listening for packets, so it may take a minute, or so for a packet to show up on the interface of interest. Also, if the interface is bonded, then bond0 may be the name of the interface to use instead of something like eth0.
A previous article, Advanced Linux Networking Tools, covered the basic usage of tcpdump and tshark to discover switch ports on a Cisco switch, but there are times a system may be connected to a different brand, or using a different protocol. Also, wireshark is not always installed, so relying on tshark is not always the most convenient way to get the required info.
By default, Cisco uses a proprietary method of communication between switches and routers called Cisco Discovery Protocol (CDP). There is another protocol called Link Layer Discovery Protocol (LLDP), which used by other brands, so it is useful to list other options.
Find switch information
First, use ifconfig to find the interface names. Then, use tcpdump to listen for packets. Optional: write the packet capture output to a .cap file, and use tshark to read the output.Cisco Discovery Protocol (CDP)
YOUR_INTERFACE=eth0
tcpdump -n -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'
Link Layer Discovery Protocol (LLDP)
YOUR_INTERFACE=eth0
tcpdump -v -s 1500 -c 1 -i $YOUR_INTERFACE '(ether[12:2]=0x88cc)'
tcpdump -v -s 1500 -c 1 -i $YOUR_INTERFACE '(ether[12:2]=0x88cc)' and ether dst 01:80:c2:00:00:0e
With Wireshark
sudo tcpdump -nv -c 1 -i eth0 -s 1500 '(ether[12:2]=0x88cc)'sudo tcpdump -nv -c 1 -s 1500 -w /tmp/pkt1.cap -i bond1 '(ether[12:2]=0x88cc)'
sudo tshark -V -r /tmp/pkt1.cap
Check LLDP on eth0
sudo tcpdump -nv -c 1 -i eth0 -s 1500 -w /tmp/pkt0.cap '(ether[12:2]=0x88cc)';sudo tshark -V -r /tmp/pkt0.cap
Limit Results by using egrep
sudo tcpdump -nv -c 1 -i eth0 -s 1500 -w /tmp/pkt0.cap '(ether[12:2]=0x88cc)';sudo tshark -V -r /tmp/pkt0.cap | egrep -i "Chassis Id: | Port Id: | System Name = |port Description ="
Without Wireshark
CDP
sudo tcpdump -n -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'
sudo tcpdump -n -v -i bond1 -s 1500 -c 1 'ether[20:2] == 0x2000'
LLDP
sudo tcpdump -nv -c 1 -i eth0 -s 1500 '(ether[12:2]=0x88cc)'
sudo tcpdump -n -v -i bond1 -s 1500 -c 1 '(ether[12:2]=0x88cc)'
Sometimes, a little patience is required. After all, tcpdump is listening for packets, so it may take a minute, or so for a packet to show up on the interface of interest. Also, if the interface is bonded, then bond0 may be the name of the interface to use instead of something like eth0.