Navigation
« Use of Karmetasploit Technique During a Pentest | Main | Airport's and Karmetasploit »
Saturday
Sep202008

Tcpdump Filter for CDP

Recently on an engagement I wanted to capture only Cisco Discovery Protocol (CDP) packets so as to passively enumerate Cisco equipment and I decided to share the filter I used:

sudo tcpdump -nn -v -i en0 -s 1500 'ether[20:2] == 0x2000'
Password:
tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 1500 bytes
18:41:35.971435 CDPv2, ttl: 180s, checksum: 692 (unverified), length 334
Device-ID (0x01), length: 8 bytes: 'ap1.home'
Version String (0x05), length: 231 bytes:
Cisco IOS Software, C1200 Software (C1200-K9W7-M), Version 12.3(8)JEB1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 20-Jul-07 20:51 by dchih
Platform (0x06), length: 26 bytes: 'cisco AIR-AP1230A-A-K9 '
Address (0x02), length: 13 bytes: IPv4 (1) 192.168.1.250
Port-ID (0x03), length: 13 bytes: 'FastEthernet0'
Capability (0x04), length: 4 bytes: (0x00000002): Transparent Bridge
Duplex (0x0b), length: 1 byte: full
power consumption (0x10), length: 2 bytes: 8.50W

I hope that it's useful to anyone who might need it during a pentest or troubleshooting a network.

Reader Comments (1)

Just wanted to say thanks for the info. I didn't use it for CDP, but for a few other protocols for my own personal pentest. I just changed the pattern it was looking for in the packets to match whatever type I was looking for.

Regards,

Kevin

PostPost a New Comment

Enter your information below to add a new comment.
Author Email (optional):
Author URL (optional):
Post:
 
All HTML will be escaped. Hyperlinks will be created for URLs automatically.