CDP: Cisco Discovery Protocol
Contents
Introduction
Cisco Discovery Protocol (CDP) is primarily used to obtain protocol addresses of neighboring devices and discover the platform of those devices. CDP can also be used to show information about the interfaces your router uses.
This tutorial discusses the Cisco Discovery Protocol plugin cdpDecode. It supplies vital information for troubleshooting and reversing tasks.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow cdpDecode txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here: cdp_v2_voice.pcap.
Please save it in your ~/data folder.
Now you are all set for analyzing CDP traffic!
cdpDecode
cdpDecode
vi src/cdpDecode.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define CDP_NADDR 5 // maximum number of IPv4 addresses
#define CDP_NMADDR 5 // maximum number of management addresses
#define CDP_NIPPG 5 // maximum number of IP prefix gateways
#define CDP_STRLEN 25 // maximum length of strings to store
#define CDP_LSTRLEN 100 // maximum length of long strings to store
/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */
/* No env / runtime configuration flags available for cdpDecode */
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...The different lengths are for short and long strings, as you might want more space for large fields e.g. the cdpSWVersion
but limit the memory space wasted for small fields.
You may reconfigure lengths or the number of stored addresses per flow with t2conf or
just edit the file. We leave it at the default values for this tutorial. Now run t2 on the pcap.
t2 -r ~/data/cdp_v2_voice.pcap -w ~/results/ -s
Oups only one packet in the flow, oh well, that was the only example I could find with some interesting voice content.
The end report supplies an overview of Type Length Value Types occurring in all CDP packets in positional (log2) coding.
tawk -V cdpTLVTypes=0x004c4f7e
The cdpTLVTypes column with value 0x004c4f7e is to be interpreted as follows:
bit | cdpTLVTypes | Description
=============================================================================
1 | 0x0000 0002 | Device ID
2 | 0x0000 0004 | Addresses
3 | 0x0000 0008 | Port ID
4 | 0x0000 0010 | Capabilities
5 | 0x0000 0020 | Software Version
6 | 0x0000 0040 | Platform
8 | 0x0000 0100 | Protocol Hello
9 | 0x0000 0200 | VTP Management Domain
10 | 0x0000 0400 | Native VLAN
11 | 0x0000 0800 | Duplex
14 | 0x0000 4000 | VoIP VLAN Query
18 | 0x0004 0000 | Trust Bitmap
19 | 0x0008 0000 | Untrusted Port CoS
22 | 0x0040 0000 | Management Address
So a lot of information in one packet. Pick one item, e.g. capabilities.
The capabilities on the whole flow describes the device as a switch, IGMP capable.
tawk -V cdpCaps=0x00000028
The cdpCaps column with value 0x00000028 is to be interpreted as follows:
bit | cdpCaps | Description
=============================================================================
3 | 0x0000 0008 | Switch
5 | 0x0000 0020 | IGMP capable
These Caps and TLV’s you will also find in the flow file, using the same bit positional coding.
tcol ~/results/cdp_v2_voice_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType vlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto cdpStat cdpVer cdpTTL cdpTLVTypes cdpDevice cdpPlatform cdpSWVersion cdpPortID cdpCaps cdpDuplex cdpNVLAN cdpVoipVLAN cdpVTPMngmtDmn cdpMAddrs cdpAddrs cdpIPPref_cdr
A 1 0x0000000000000004 1367434758.755201000 1367434758.755201000 0.000000000 1 3 eth:llc:cdp 00:0b:be:18:9a:41 01:00:0c:cc:cc:cc 0x2000 - - "-" 0 - - "-" 0 0 0x21 2 180 0x004c4f7e myswitch "cisco WS-C2950-12" "Cisco Internetwork Operating System Software \nIOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12" FastEthernet0/1 0x00000028 0x02 1 10 MYDOMAIN 192.168.0.253 192.168.0.253In the packet mode you see the whole music.
tcol ~/results/cdp_v2_voice_packets.txt
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc vlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto cdpStat cdpVer cdpTTL cdpTLVTypes cdpDevice cdpPlatform cdpPortID cdpCaps cdpDuplex cdpNVLAN cdpVoipVLAN cdpVTPMngmtDmn cdpMAddrs cdpAddrs l7Content
1 1 0x0000000000000004 1367434758.755201000 0.000000000 0.000000000 0.000000000 3 eth:llc:cdp 00:0b:be:18:9a:41 01:00:0c:cc:cc:cc 0x2000 0x21 2 180 5632 myswitch cisco WS-C2950-12 FastEthernet0/1 0x00000028 0x02 1 10 MYDOMAIN 192.168.0.253 192.168.0.253 .......\fmyswitch.....................FastEthernet0/1...\b...(....Cisco Internetwork Operating System Software \nIOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA14, RELEASE SOFTWARE (fc1)\nTechnical Support: http://www.cisco.com/techsupport\nCopyright (c) 1986-2010 by cisco Systems, Inc.\nCompiled Tue 26-Oct-10 10:35 by nburra....cisco WS-C2950-12.\b.$..\f............!............@....\t.\fMYDOMAIN.\n...............\n...........................Try your own CDP traffic. Have fun!