Wednesday, March 22, 2017

Discover Switch Port Using tcpdump and wireshark

Discover the Switch Port to which the Server is Connected

A previous article, Advanced Linux Networking Tools, covered the basic usage of tcpdump and tshark to discover switch ports on a Cisco switch, but there are times a system may be connected to a different brand, or using a different protocol.  Also, wireshark is not always installed, so relying on tshark is not always the most convenient way to get the required info.

By default, Cisco uses a proprietary method of communication between switches and routers called Cisco Discovery Protocol (CDP).  There is another protocol called Link Layer Discovery Protocol (LLDP), which used by other brands, so it is useful to list other options.

Find switch information

First, use ifconfig to find the interface names.  Then, use tcpdump to listen for packets.  Optional:  write the packet capture output to a .cap file, and use tshark to read the output.

Cisco Discovery Protocol (CDP)

YOUR_INTERFACE=eth0
 tcpdump -n -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'

Link Layer Discovery Protocol (LLDP)
YOUR_INTERFACE=eth0
 tcpdump -v -s 1500 -c 1 -i $YOUR_INTERFACE '(ether[12:2]=0x88cc)'

tcpdump -v -s 1500 -c 1 -i $YOUR_INTERFACE '(ether[12:2]=0x88cc)'  and ether dst 01:80:c2:00:00:0e

With Wireshark

sudo tcpdump -nv -c 1 -i eth0 -s 1500 '(ether[12:2]=0x88cc)' 

 sudo tcpdump -nv -c 1 -s 1500 -w /tmp/pkt1.cap -i bond1 '(ether[12:2]=0x88cc)'
  sudo tshark -V -r /tmp/pkt1.cap

Check LLDP on eth0
sudo tcpdump -nv -c 1 -i eth0 -s 1500 -w /tmp/pkt0.cap '(ether[12:2]=0x88cc)';sudo tshark -V -r /tmp/pkt0.cap

Limit Results by using egrep
sudo tcpdump -nv -c 1 -i eth0 -s 1500 -w /tmp/pkt0.cap '(ether[12:2]=0x88cc)';sudo tshark -V -r /tmp/pkt0.cap | egrep -i "Chassis Id: | Port Id: | System Name = |port Description ="


 Without Wireshark


CDP
 sudo  tcpdump -n -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'
 sudo  tcpdump -n -v -i bond1 -s 1500 -c 1 'ether[20:2] == 0x2000'

LLDP
 sudo tcpdump -nv -c 1 -i eth0 -s 1500 '(ether[12:2]=0x88cc)'
 sudo  tcpdump -n -v -i bond1 -s 1500 -c 1  '(ether[12:2]=0x88cc)'

Sometimes, a little patience is required.  After all, tcpdump is listening for packets, so it may take a minute, or so for a packet to show up on the interface of interest.  Also, if the interface is bonded, then bond0 may be the name of the interface to use instead of something like eth0.

Bash One-Liners for Ping

Here are a few notes to add to the previous article on ping. This time, we look at some bash one-liner tips and tricks. Combine multiple commands Return Values Ping Multiple Hosts Using Bash Nmap and Fping

Ping, and Command Line Variables

Start from the beginning. We want to see what happens when attempting to ping a host that resolves an IP address from DNS, but is not reachable from our network at the moment. This is to show how we might build a simple monitoring tool from scratch, and also to see what kind of fun we can have with the command line. To ping a host only one time use the count option, which in Windows is -n, and in Linux is -c.

Windows

C:\>set host=google.com

C:\>ping -n 1 %host%

Pinging google.com [216.58.219.46] with 32 bytes of data:
Request timed out.

Ping statistics for 216.58.219.46:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

Bash: Linux, Mac, Unix

Note that in bash, we don't use the set command to assign a variable, but we may want to use export. So we could use:
host=google.com
ping -c 1 $host
Or with export:
export host=google.com
ping -c 1 $host
The only difference should be that the variable is still available in a sub shell, if we use export. With both lines combined, use a semicolon.
host=google.com;ping -c 1 $host

Return Codes

Remember that commands will return a result that is placed in the $? variable, which can be used later in our script. Return codes for ping:
 0 = success (host is up)
 1 = ping failed (host is down)
 2 = unknown host (host is not in DNS)
To see how this works with an unknown host, run these two commands. First, ping an non-existent host, and then echo the $? variable.
$ ping -c 1 xyz-nothing
ping: unknown host xyz-nothing
$ echo $?
2
The same thing, combined on one line, with a host variable:
$  host=xyz-nothing;ping -c 1 $host;echo $?
ping: unknown host xyz-nothing
2
If a ping check failed, then give the hostname, the return code, and the date and time.
$ host=google.com;ping -c 1 $host > /dev/null 2>&1; RESULT=$?;echo $host: $RESULT; if [ "$RESULT" != "0" ]; then date --rfc-3339=ns;fi
google.com: 1
2016-09-01 14:35:10.833175095-07:00
Or a simplified version, using the logical "or" double pipe "||", though we need the parentheses to run multiple commands
$ host=google.com;ping -c 1 $host > /dev/null 2>&1 || ( echo "$host $RESULT";date --rfc-3339=ns )                            
google.com 1
2016-09-01 14:35:31.012810392-07:00

Git Quick Start

When attempting to learn new tools, such as git, or vim, it is easy to get lost in all the features.  Here is a quick start guide that focuses on the essentials for a single user to get started with a local git repo.  Working with a team, and advanced features can be added later.

Git Quick Start Commands


Git Core Commands
  • git init
  • git add .
  • git commit -m “initial commit”
Supporting Commands
  • git status
  • git log
Remote Repository Commands
  • git clone [url]
  • git pull
  • git push

Git Notes on github goes into more detail

https://github.com/systemnotes/gitnotes