Tutorial: Cisco Discovery Protocol (CDP)

CDP layer 2 routing

Introduction

Cisco Discovery Protocol (CDP) is primarily used to obtain protocol addresses of neighboring devices and discover the platform of those devices. CDP can also be used to show information about the interfaces your router uses.

This tutorial discusses the Cisco Discovery Protocol plugin cdpDecode. It supplies vital information for troubleshooting and reversing tasks.

Preparation

First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:

t2build -e -y 

Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied

Then compile the core (tranalyzer2) and the following plugins:

t2build tranalyzer2 basicFlow cdpDecode txtSink 

...
BUILD SUCCESSFUL

If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:

mkdir ~/data ~/results

The sample PCAP used in this tutorial can be downloaded here: cdp_v2_voice.pcap.

Please save it in your ~/data folder.

Now you are all set for analyzing CDP traffic!

cdpDecode

cdpDecode

vi src/cdpDecode.h

The different lengths are for short and long strings, as you might want more space for large fields e.g. the cdpSWVersion but limit the memory space wasted for small fields.

You may reconfigure lengths or the number of stored addresses per flow with t2conf or just edit the file. We leave it at the default values for this tutorial. Now run t2 on the pcap.

t2 -r ~/data/cdp_v2_voice.pcap -w ~/results/ -s 

================================================================================
Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 20125
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.8.14
    02: cdpDecode, 0.8.14
    03: txtSink, 0.8.14
[INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K)
[INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K)
Processing file: /home/wurst/data/cdp_v2_voice.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1367434758.755201 sec (Wed 01 May 2013 18:59:18 GMT)
Dump stop : 1367434758.755201 sec (Wed 01 May 2013 18:59:18 GMT)
Total dump duration: 0.000000 sec
Finished processing. Elapsed time: 0.010732 sec
Finished unloading flow memory. Time: 0.010796 sec
Percentage completed: 100.00%
Number of processed packets: 1
Number of processed bytes: 472
Number of raw bytes: 472
Number of pcap bytes: 512
Number of A packets: 1 [100.00%]
Number of A bytes: 472 [100.00%]
Average A packet load: 472.00
Average B packet load: 0.00
--------------------------------------------------------------------------------
cdpDecode: Aggregated cdpStat=0x21
cdpDecode: Aggregated cdpTLVTypes=0x004c4f7e
cdpDecode: Aggregated cdpCaps=0x00000028
cdpDecode: Number of CDP packets: 1 [100.00%]
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, average: 3.00
Number of LLC packets: 1 [100.00%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed   flows: 1
Number of processed A flows: 1 [100.00%]
Number of request     flows: 1 [100.00%]
Total   A/B    flow asymmetry: 1.00
Total req/rply flow asymmetry: 1.00
Number of processed   packets/flows: 1.00
Number of processed A packets/flows: 1.00
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Max number of flows in memory: 1 [0.00%]
Memory usage: 0.01 GB [0.02%]
Aggregated flowStat=0x0000000000000004
[INF] Layer 2 flows

Oups only one packet in the flow, oh well, that was the only example I could find with some interesting voice content.

The end report supplies an overview of Type Length Value Types occurring in all CDP packets in positional (log2) coding.

tawk -V cdpTLVTypes=0x004c4f7e 

The cdpTLVTypes column with value 0x004c4f7e is to be interpreted as follows:

   bit | cdpTLVTypes | Description
   =============================================================================
     1 | 0x0000 0002 | Device ID
     2 | 0x0000 0004 | Addresses
     3 | 0x0000 0008 | Port ID
     4 | 0x0000 0010 | Capabilities
     5 | 0x0000 0020 | Software Version
     6 | 0x0000 0040 | Platform
     8 | 0x0000 0100 | Protocol Hello
     9 | 0x0000 0200 | VTP Management Domain
    10 | 0x0000 0400 | Native VLAN
    11 | 0x0000 0800 | Duplex
    14 | 0x0000 4000 | VoIP VLAN Query
    18 | 0x0004 0000 | Trust Bitmap
    19 | 0x0008 0000 | Untrusted Port CoS
    22 | 0x0040 0000 | Management Address

So a lot of information in one packet. Pick one item, e.g. capabilities.

The capabilities on the whole flow describes the device as a switch, IGMP capable.

tawk -V cdpCaps=0x00000028 

The cdpCaps column with value 0x00000028 is to be interpreted as follows:

   bit | cdpCaps     | Description
   =============================================================================
     3 | 0x0000 0008 | Switch
     5 | 0x0000 0020 | IGMP capable

These Caps and TLV’s you will also find in the flow file, using the same bit positional coding.

tcol ~/results/cdp_v2_voice_flows.txt 

%dir  flowInd  flowStat            timeFirst          timeLast           duration  numHdrDesc  numHdrs  hdrDesc      srcMac             dstMac             ethType  ethVlanID  srcIP  srcIPCC  srcIPOrg  srcPort  dstIP  dstIPCC  dstIPOrg  dstPort  l4Proto  cdpStat  cdpVer  cdpTTL  cdpTLVTypes  cdpDevice  cdpPlatform          cdpSWVersion                                                                                             cdpPortID        cdpCaps     cdpDuplex  cdpNVLAN  cdpVoipVLAN  cdpVTPMngmtDmn  cdpMAddrs      cdpAddrs       cdpIPPref_cdr
A     1        0x0000000000000004  1367434758.755201  1367434758.755201  0.000000  1           3        eth:llc:cdp  00:0b:be:18:9a:41  01:00:0c:cc:cc:cc  0x2000              -      -        "-"       0        -      -        "-"       0        0        0x21     2       180     0x004c4f7e   myswitch   "cisco WS-C2950-12"  "Cisco Internetwork Operating System Software \nIOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12"  FastEthernet0/1  0x00000028  0x02       1         10           MYDOMAIN        192.168.0.253  192.168.0.253

In the packet mode you see the whole music.

tcol ~/results/cdp_v2_voice_packets.txt 

%pktNo  flowInd  flowStat            time               pktIAT    pktTrip   flowDuration  numHdrs  hdrDesc      ethVlanID  srcMac             dstMac             ethType  srcIP  srcIPCC  srcIPOrg  srcPort  dstIP  dstIPCC  dstIPOrg  dstPort  l4Proto  cdpStat  cdpVer  cdpTTL  cdpTLVTypes  cdpDevice  cdpPlatform        cdpPortID        cdpCaps     cdpDuplex  cdpNVLAN  cdpVoipVLAN  cdpVTPMngmtDmn  cdpMAddrs      cdpAddrs       l7Content
1       1        0x0000000000000004  1367434758.755201  0.000000  0.000000  0.000000      3        eth:llc:cdp             00:0b:be:18:9a:41  01:00:0c:cc:cc:cc  0x2000                                                                                  0x21     2       180     5632         myswitch   cisco WS-C2950-12  FastEthernet0/1  0x00000028  0x02       1         10           MYDOMAIN        192.168.0.253  192.168.0.253  ........myswitch.....................FastEthernet0/1.......(....Cisco Internetwork Operating System Software \nIOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA14, RELEASE SOFTWARE (fc1)\nTechnical Support: http://www.cisco.com/techsupport\nCopyright (c) 1986-2010 by cisco Systems, Inc.\nCompiled Tue 26-Oct-10 10:35 by nburra....cisco WS-C2950-12...$...............!............@....\t..MYDOMAIN.\n...............\n...........................

Try your own CDP traffic. Have fun!