Tutorial: Link Layer Discovery Protocol (LLDP)
Contents
This tutorial discusses the plugin lldpDecode. It supplies vital information for troubleshooting and security related issues.
Preparation
Before we start we need to prepare T2. If you did not complete the tutorials before just follow the procedure described below.
First I recommend to set T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins and compile the standard plugins. Just as a precaution if you have some old plugins or files there. If you like to keep them, please copy them away.
$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$$ t2build tranalyzer2 basicFlow lldpDecode txtSink
...
BUILD SUCCESSFUL
$If you did not create a separate data and results directory yet, please do it now in another cmd window. It will facilitate your workflow:
$ mkdir ~/data ~/results
$Download the sample pcap if did not do it already: dell-lldp-capture.pcap. Now you’re all set.
lldpDecode
The configuration of lldpDecode
$ lldpDecode
$ vi src/lldpDecode.h...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define LLDP_TTL_AGGR 1 // aggregate TTL values
#define LLDP_NUM_TTL 8 // Number of different TTL values to store
#define LLDP_OPT_TLV 1 // output optional TLVs
#define LLDP_STRLEN 20 // maximum length of short trings to store
#define LLDP_LSTRLEN 100 // maximum length of long strings to store
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...You may reconfigure that with t2conf or just edit the file. We leave it at the default value for this tutorial. Now run t2 on the dell-lldp-capture.pcap.
$ t2 -r ~/data/dell-lldp-capture.pcap -w ~/results/ -s
================================================================================
Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 35047
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
01: basicFlow, 0.8.14
02: lldpDecode, 0.8.14
03: txtSink, 0.8.14
[INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K)
[INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K)
Processing file: /home/wurst/data/dell-lldp-capture.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1391125982.327232 sec (Thu 30 Jan 2014 23:53:02 GMT)
Dump stop : 1391127718.633023 sec (Fri 31 Jan 2014 00:21:58 GMT)
Total dump duration: 1736.305791 sec (28m 56s)
Finished processing. Elapsed time: 0.009078 sec
Finished unloading flow memory. Time: 0.009117 sec
Percentage completed: 100.00%
Number of processed packets: 76
Number of processed bytes: 19494 (19.49 K)
Number of raw bytes: 19494 (19.49 K)
Number of pcap bytes: 20734 (20.73 K)
Number of A packets: 76 [100.00%]
Number of A bytes: 19494 (19.49 K) [100.00%]
Average A packet load: 256.50
Average B packet load: 0.00
--------------------------------------------------------------------------------
lldpDecode: Aggregated lldpStat=0x2015
lldpDecode: Aggregated lldpTLVTypes=0x800001ff
lldpDecode: Aggregated lldpCaps=0x001c, lldpEnCaps=0x001c
lldpDecode: Number of LLDP packets: 76 [100.00%]
--------------------------------------------------------------------------------
Headers count: min: 2, max: 2, average: 2.00
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed flows: 3
Number of processed A flows: 3 [100.00%]
Number of request flows: 3 [100.00%]
Total A/B flow asymmetry: 1.00
Total req/rply flow asymmetry: 1.00
Number of processed packets/flows: 25.33
Number of processed A packets/flows: 25.33
Number of processed total packets/s: 0.04
Number of processed A+B packets/s: 0.04
Number of processed A packets/s: 0.04
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 0.00
Average full raw bandwidth: 90 b/s
Average full bandwidth : 0 b/s
Max number of flows in memory: 2 [0.00%]
Memory usage: 0.01 GB [0.02%]
Aggregated flowStat=0x0000000000000024
[INF] Layer 2 flows
[INF] LLDP
$$ tawk -V lldpStat=0x2015The lldpStat column with value 0x2015 is to be interpreted as follows:
bit | lldpStat | Description
=============================================================================
0 | 0x0001 | Flow is LLDP
2 | 0x0004 | Optional TLV present
4 | 0x0010 | Organization specific TLV used
13 | 0x2000 | String truncated... increase LLDP_STRLENtawk -V lldpCaps=0x001cThe lldpCaps column with value 0x001c is to be interpreted as follows:
bit | lldpCaps | Description
=============================================================================
2 | 0x0004 | Bridge
3 | 0x0008 | WLAN access point
4 | 0x0010 | RouterThe same applies for lldpEnCaps.
In the flow file you will see all relevant information about the devices and the ports. Note the TTL change in flow 1.
$ cd ~/results
$ tcol dell-lldp-capture_flows.txti%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto lldpStat lldpTTL lldpTLVTypes lldpChassis lldpPort lldpPortDesc lldpSysName lldpSysDesc lldpCaps_enCaps lldpMngmtAddr
A 2 0x0000000000000024 1391126776.632995 1391127226.963147 450.330152 1 2 eth:lldp 00:24:7e:e1:87:e9 01:80:c2:00:00:0e 0x88cc - - "-" 0 - - "-" 0 0 0x2015 120 0x800001ff 00:24:7e:e1:87:e9 "00:24:7e:e1:87:e9" "eth0" "Strike" "Ubuntu precise (12.04.4 LTS) Linux 3.2.0-58-generic #88-Ubuntu SMP Tue Dec 3 17:37:58 UTC 2013 x86_6" 0x001c_0x001c 192.168.122.1
A 1 0x0000000000000024 1391125982.327232 1391127564.359797 1582.032565 1 2 eth:lldp 28:93:fe:32:f4:2e 01:80:c2:00:00:0e 0x88cc - - "-" 0 - - "-" 0 0 0x2015 120;0 0x800000ff 28:93:fe:32:f4:2e "Gi0/46" "GigabitEthernet0/46" "4190_2nd_Data4.cisco" "Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)\n" 0x0014_0x0004
A 3 0x0000000000000024 1391127568.688015 1391127718.633023 149.945008 1 2 eth:lldp 00:25:64:22:b2:4d 01:80:c2:00:00:0e 0x88cc - - "-" 0 - - "-" 0 0 0x0001 120 0x0000000f 00:25:64:22:b2:1d "g48" "" "" "" 0x0000_0x0000 Same for the packet file. The TTL change of flow 1 happens in packet 70.
$ tcol dell-lldp-capture_packets.txt%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto lldpStat lldpTTL lldpTLVTypes lldpChassis lldpPort lldpPortDesc lldpSysName lldpCaps_enCaps lldpMngmtAddr l7Content
1 1 0x0000000000000024 1391125982.327232 0.000000 0.000000 0.000000 2 eth:lldp 28:93:fe:32:f4:2e 01:80:c2:00:00:0e 0x88cc 0x2015 120 0x800000ff 28:93:fe:32:f4:2e Gi0/46 GigabitEthernet0/46 4190_2nd_Data4.cisco 0x0014_0x0004 ...(..2.....Gi0/46...x\n.4190_2nd_Data4.cisco.com..Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)\nCopyright (c) 1986-2009 by Cisco Systems, Inc.\nCompiled Mon 09-Mar-09 18:10 by gereddy..GigabitEthernet0/46.............?.\t...........
2 1 0x0000000000000024 1391126012.232878 29.905645 0.000000 29.905645 2 eth:lldp 28:93:fe:32:f4:2e 01:80:c2:00:00:0e 0x88cc 0x2015 120 0x800000ff 28:93:fe:32:f4:2e Gi0/46 GigabitEthernet0/46 4190_2nd_Data4.cisco 0x0014_0x0004 ...(..2.....Gi0/46...x\n.4190_2nd_Data4.cisco.com..Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)\nCopyright (c) 1986-2009 by Cisco Systems, Inc.\nCompiled Mon 09-Mar-09 18:10 by gereddy..GigabitEthernet0/46.............?.\t...........
3 1 0x0000000000000024 1391126041.951325 29.718447 0.000000 59.624092 2 eth:lldp 28:93:fe:32:f4:2e 01:80:c2:00:00:0e 0x88cc 0x2015 120 0x800000ff 28:93:fe:32:f4:2e Gi0/46 GigabitEthernet0/46 4190_2nd_Data4.cisco 0x0014_0x0004 ...(..2.....Gi0/46...x\n.4190_2nd_Data4.cisco.com..Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)\nCopyright (c) 1986-2009 by Cisco Systems, Inc.\nCompiled Mon 09-Mar-09 18:10 by gereddy..GigabitEthernet0/46.............?.\t...........
4 1 0x0000000000000024 1391126071.934290 29.982965 0.000000 89.607056 2 eth:lldp 28:93:fe:32:f4:2e 01:80:c2:00:00:0e 0x88cc 0x2015 120 0x800000ff 28:93:fe:32:f4:2e Gi0/46 GigabitEthernet0/46 4190_2nd_Data4.cisco 0x0014_0x0004 ...(..2.....Gi0/46...x\n.4190_2nd_Data4.cisco.com..Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)\nCopyright (c) 1986-2009 by Cisco Systems, Inc.\nCompiled Mon 09-Mar-09 18:10 by gereddy..GigabitEthernet0/46.............?.\t...........
5 1 0x0000000000000024 1391126101.647649 29.713360 0.000000 119.320419 2 eth:lldp 28:93:fe:32:f4:2e 01:80:c2:00:00:0e 0x88cc 0x2015 120 0x800000ff 28:93:fe:32:f4:2e Gi0/46 GigabitEthernet0/46 4190_2nd_Data4.cisco 0x0014_0x0004 ...(..2.....Gi0/46...x\n.4190_2nd_Data4.cisco.com..Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)\nCopyright (c) 1986-2009 by Cisco Systems, Inc.\nCompiled Mon 09-Mar-09 18:10 by gereddy..GigabitEthernet0/46.............?.\t...........
6 1 0x0000000000000024 1391126131.417816 29.770166 0.000000 149.090591 2 eth:lldp 28:93:fe:32:f4:2e 01:80:c2:00:00:0e 0x88cc 0x2015 120 0x800000ff 28:93:fe:32:f4:2e Gi0/46 GigabitEthernet0/46 4190_2nd_Data4.cisco 0x0014_0x0004 ...(..2.....Gi0/46...x\n.4190_2nd_Data4.cisco.com..Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)\nCopyright (c) 1986-2009 by Cisco Systems, Inc.\nCompiled Mon 09-Mar-09 18:10 by gereddy..GigabitEthernet0/46.............?.\t...........
7 1 0x0000000000000024 1391126161.373344 29.955528 0.000000 179.046112 2 eth:lldp 28:93:fe:32:f4:2e 01:80:c2:00:00:0e 0x88cc 0x2015 120 0x800000ff 28:93:fe:32:f4:2e Gi0/46 GigabitEthernet0/46 4190_2nd_Data4.cisco 0x0014_0x0004 ...(..2.....Gi0/46...x\n.4190_2nd_Data4.cisco.com..Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)\nCopyright (c) 1986-2009 by Cisco Systems, Inc.\nCompiled Mon 09-Mar-09 18:10 by gereddy..GigabitEthernet0/46.............?.\t...........
...
70 1 0x0000000000000024 1391127564.359797 3.011554 0.000000 1582.032593 2 eth:lldp 28:93:fe:32:f4:2e 01:80:c2:00:00:0e 0x88cc 0x2015 0 0x800000ff 28:93:fe:32:f4:2e Gi0/46 GigabitEthernet0/46 4190_2nd_Data4.cisco 0x0014_0x0004 ...(..2.....Gi0/46............................
71 3 0x0000000000000024 1391127568.688015 0.000000 0.000000 0.000000 2 eth:lldp 00:25:64:22:b2:4d 01:80:c2:00:00:0e 0x88cc 0x1 120 0x0000000f 00:25:64:22:b2:1d g48 0x0000_0x0000 ....%d".....g48...x...........................
72 3 0x0000000000000024 1391127598.677046 29.989031 0.000000 29.989031 2 eth:lldp 00:25:64:22:b2:4d 01:80:c2:00:00:0e 0x88cc 0x1 120 0x0000000f 00:25:64:22:b2:1d g48 0x0000_0x0000 ....%d".....g48...x...........................
73 3 0x0000000000000024 1391127628.666068 29.989021 0.000000 59.978054 2 eth:lldp 00:25:64:22:b2:4d 01:80:c2:00:00:0e 0x88cc 0x1 120 0x0000000f 00:25:64:22:b2:1d g48 0x0000_0x0000 ....%d".....g48...x...........................
74 3 0x0000000000000024 1391127658.655030 29.988962 0.000000 89.967018 2 eth:lldp 00:25:64:22:b2:4d 01:80:c2:00:00:0e 0x88cc 0x1 120 0x0000000f 00:25:64:22:b2:1d g48 0x0000_0x0000 ....%d".....g48...x...........................
75 3 0x0000000000000024 1391127688.644126 29.989096 0.000000 119.956108 2 eth:lldp 00:25:64:22:b2:4d 01:80:c2:00:00:0e 0x88cc 0x1 120 0x0000000f 00:25:64:22:b2:1d g48 0x0000_0x0000 ....%d".....g48...x...........................
76 3 0x0000000000000024 1391127718.633023 29.988897 0.000000 149.945007 2 eth:lldp 00:25:64:22:b2:4d 01:80:c2:00:00:0e 0x88cc 0x1 120 0x0000000f 00:25:64:22:b2:1d g48 0x0000_0x0000 ....%d".....g48...x...........................Have fun analyzing.