VTP: VLAN Trunking Protocol
Contents
Introduction
This tutorial discusses the plugin vtpDecode. VTP is a protocol for configuration and administration of VLANs in Cisco networks.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow vtpDecode txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here: vtp.pcap.
Please save it in your ~/data folder.
Now you are all set for analyzing VTP traffic!
vtpDecode
Let’s look at the plugin configuration first:
vtpDecode
vi src/vtpDecode.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define VTP_AGGR 1 // Aggregate updater identity
#define VTP_SAVE 1 // Extract all VLANs info in a separate file
#define VTP_DEBUG 0 // Print debug messages
#define VTP_TS_FRMT 1 // Format for timestamps: 0: string, 1: timestamp
#define VTP_VLANID_FRMT 1 // Format for VLAN ID: 0: int, 1: hex
#define VTP_NUM_UPDID 16 // Max number of updater identity
#define VTP_STR_MAX 64 // Max length for strings
/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */
// The followings flags require VTP_SAVE = 1
#define VTP_SUFFIX "_vtp.txt" // Suffix for separate file
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...Run t2 on the supplied pcap.
t2 -r ~/data/vtp.pcap -w ~/results/
So the aggregated vtpStat with value 0x01 tells us there is VTP.
The vtpStat column with value 0x01 is to be interpreted as follows:
bit | vtpStat | Description
=============================================================================
0 | 0x01 | Flow is VTP
tcol ~/results/vtp_flows.txt
Conclusion
Don’t forget to reset the plugin configuration for the next tutorial.
t2conf vtpDecode --reset && t2build vtpDecode
Have fun analyzing.