LLDP: Link Layer Discovery Protocol
layer 2 LLDP
Contents
Introduction
This tutorial discusses the plugin lldpDecode. It supplies vital information for troubleshooting and security related issues.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow lldpDecode txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here: dell-lldp-capture.pcap.
Please save it in your ~/data folder.
Now you are all set for analyzing LLDP traffic!
lldpDecode
The configuration of lldpDecode
lldpDecode
vi src/lldpDecode.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define LLDP_TTL_AGGR 1 // aggregate TTL values
#define LLDP_NUM_TTL 8 // Number of different TTL values to store
#define LLDP_OPT_TLV 1 // output optional TLVs
#define LLDP_STRLEN 20 // maximum length of short strings to store
#define LLDP_LSTRLEN 100 // maximum length of long strings to store
/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */
/* No env / runtime configuration flags available for lldpDecode */
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...You may reconfigure that with t2conf or just edit the file.
We leave it at the default value for this tutorial.
Now run t2 on dell-lldp-capture.pcap.
t2 -r ~/data/dell-lldp-capture.pcap -w ~/results/ -s
tawk -V lldpStat=0x2015The lldpStat column with value 0x2015 is to be interpreted as follows: bit | lldpStat | Description ============================================================================= 0 | 0x0001 | Flow is LLPD 2 | 0x0004 | Optional TLV present 4 | 0x0010 | Organization specific TLV used 13 | 0x2000 | String truncated... increase LLDP_STRLENtawk -V lldpCaps=0x001c
The lldpCaps column with value 0x001c is to be interpreted as follows:
bit | lldpCaps | Description
=============================================================================
2 | 0x0004 | Bridge
3 | 0x0008 | WLAN access point
4 | 0x0010 | Router
The same applies for lldpEnCaps.
In the flow file you will see all relevant information about the devices and the ports. Note the TTL change in flow 1.
tcol ~/results/dell-lldp-capture_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto lldpStat lldpTTL lldpTLVTypes lldpChassis lldpPort lldpPortDesc lldpSysName lldpSysDesc lldpCaps_enCaps lldpMngmtAddr
A 2 0x0000000000000024 1391126776.632995 1391127226.963147 450.330152 1 2 eth:lldp 00:24:7e:e1:87:e9 01:80:c2:00:00:0e 0x88cc - - "-" 0 - - "-" 0 0 0x2015 120 0x800001ff 00:24:7e:e1:87:e9 "00:24:7e:e1:87:e9" "eth0" "Strike" "Ubuntu precise (12.04.4 LTS) Linux 3.2.0-58-generic #88-Ubuntu SMP Tue Dec 3 17:37:58 UTC 2013 x86_6" 0x001c_0x001c 192.168.122.1
A 1 0x0000000000000024 1391125982.327232 1391127564.359797 1582.032565 1 2 eth:lldp 28:93:fe:32:f4:2e 01:80:c2:00:00:0e 0x88cc - - "-" 0 - - "-" 0 0 0x2015 120;0 0x800000ff 28:93:fe:32:f4:2e "Gi0/46" "GigabitEthernet0/46" "4190_2nd_Data4.cisco" "Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)\n" 0x0014_0x0004
A 3 0x0000000000000024 1391127568.688015 1391127718.633023 149.945008 1 2 eth:lldp 00:25:64:22:b2:4d 01:80:c2:00:00:0e 0x88cc - - "-" 0 - - "-" 0 0 0x0001 120 0x0000000f 00:25:64:22:b2:1d "g48" "" "" "" 0x0000_0x0000Same for the packet file. The TTL change of flow 1 happens in packet 70.
tcol ~/results/dell-lldp-capture_packets.txt
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto lldpStat lldpTTL lldpTLVTypes lldpChassis lldpPort lldpPortDesc lldpSysName lldpCaps_enCaps lldpMngmtAddr l7Content
1 1 0x0000000000000024 1391125982.327232 0.000000 0.000000 0.000000 2 eth:lldp 28:93:fe:32:f4:2e 01:80:c2:00:00:0e 0x88cc 0x2015 120 0x800000ff 28:93:fe:32:f4:2e Gi0/46 GigabitEthernet0/46 4190_2nd_Data4.cisco 0x0014_0x0004 ...(..2.....Gi0/46...x\n.4190_2nd_Data4.cisco.com..Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)\nCopyright (c) 1986-2009 by Cisco Systems, Inc.\nCompiled Mon 09-Mar-09 18:10 by gereddy..GigabitEthernet0/46.............?.\t...........
2 1 0x0000000000000024 1391126012.232878 29.905645 0.000000 29.905645 2 eth:lldp 28:93:fe:32:f4:2e 01:80:c2:00:00:0e 0x88cc 0x2015 120 0x800000ff 28:93:fe:32:f4:2e Gi0/46 GigabitEthernet0/46 4190_2nd_Data4.cisco 0x0014_0x0004 ...(..2.....Gi0/46...x\n.4190_2nd_Data4.cisco.com..Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)\nCopyright (c) 1986-2009 by Cisco Systems, Inc.\nCompiled Mon 09-Mar-09 18:10 by gereddy..GigabitEthernet0/46.............?.\t...........
3 1 0x0000000000000024 1391126041.951325 29.718447 0.000000 59.624092 2 eth:lldp 28:93:fe:32:f4:2e 01:80:c2:00:00:0e 0x88cc 0x2015 120 0x800000ff 28:93:fe:32:f4:2e Gi0/46 GigabitEthernet0/46 4190_2nd_Data4.cisco 0x0014_0x0004 ...(..2.....Gi0/46...x\n.4190_2nd_Data4.cisco.com..Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)\nCopyright (c) 1986-2009 by Cisco Systems, Inc.\nCompiled Mon 09-Mar-09 18:10 by gereddy..GigabitEthernet0/46.............?.\t...........
4 1 0x0000000000000024 1391126071.934290 29.982965 0.000000 89.607056 2 eth:lldp 28:93:fe:32:f4:2e 01:80:c2:00:00:0e 0x88cc 0x2015 120 0x800000ff 28:93:fe:32:f4:2e Gi0/46 GigabitEthernet0/46 4190_2nd_Data4.cisco 0x0014_0x0004 ...(..2.....Gi0/46...x\n.4190_2nd_Data4.cisco.com..Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)\nCopyright (c) 1986-2009 by Cisco Systems, Inc.\nCompiled Mon 09-Mar-09 18:10 by gereddy..GigabitEthernet0/46.............?.\t...........
5 1 0x0000000000000024 1391126101.647649 29.713360 0.000000 119.320419 2 eth:lldp 28:93:fe:32:f4:2e 01:80:c2:00:00:0e 0x88cc 0x2015 120 0x800000ff 28:93:fe:32:f4:2e Gi0/46 GigabitEthernet0/46 4190_2nd_Data4.cisco 0x0014_0x0004 ...(..2.....Gi0/46...x\n.4190_2nd_Data4.cisco.com..Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)\nCopyright (c) 1986-2009 by Cisco Systems, Inc.\nCompiled Mon 09-Mar-09 18:10 by gereddy..GigabitEthernet0/46.............?.\t...........
6 1 0x0000000000000024 1391126131.417816 29.770166 0.000000 149.090591 2 eth:lldp 28:93:fe:32:f4:2e 01:80:c2:00:00:0e 0x88cc 0x2015 120 0x800000ff 28:93:fe:32:f4:2e Gi0/46 GigabitEthernet0/46 4190_2nd_Data4.cisco 0x0014_0x0004 ...(..2.....Gi0/46...x\n.4190_2nd_Data4.cisco.com..Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)\nCopyright (c) 1986-2009 by Cisco Systems, Inc.\nCompiled Mon 09-Mar-09 18:10 by gereddy..GigabitEthernet0/46.............?.\t...........
7 1 0x0000000000000024 1391126161.373344 29.955528 0.000000 179.046112 2 eth:lldp 28:93:fe:32:f4:2e 01:80:c2:00:00:0e 0x88cc 0x2015 120 0x800000ff 28:93:fe:32:f4:2e Gi0/46 GigabitEthernet0/46 4190_2nd_Data4.cisco 0x0014_0x0004 ...(..2.....Gi0/46...x\n.4190_2nd_Data4.cisco.com..Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)\nCopyright (c) 1986-2009 by Cisco Systems, Inc.\nCompiled Mon 09-Mar-09 18:10 by gereddy..GigabitEthernet0/46.............?.\t...........
...
70 1 0x0000000000000024 1391127564.359797 3.011554 0.000000 1582.032593 2 eth:lldp 28:93:fe:32:f4:2e 01:80:c2:00:00:0e 0x88cc 0x2015 0 0x800000ff 28:93:fe:32:f4:2e Gi0/46 GigabitEthernet0/46 4190_2nd_Data4.cisco 0x0014_0x0004 ...(..2.....Gi0/46............................
71 3 0x0000000000000024 1391127568.688015 0.000000 0.000000 0.000000 2 eth:lldp 00:25:64:22:b2:4d 01:80:c2:00:00:0e 0x88cc 0x1 120 0x0000000f 00:25:64:22:b2:1d g48 0x0000_0x0000 ....%d".....g48...x...........................
72 3 0x0000000000000024 1391127598.677046 29.989031 0.000000 29.989031 2 eth:lldp 00:25:64:22:b2:4d 01:80:c2:00:00:0e 0x88cc 0x1 120 0x0000000f 00:25:64:22:b2:1d g48 0x0000_0x0000 ....%d".....g48...x...........................
73 3 0x0000000000000024 1391127628.666068 29.989021 0.000000 59.978054 2 eth:lldp 00:25:64:22:b2:4d 01:80:c2:00:00:0e 0x88cc 0x1 120 0x0000000f 00:25:64:22:b2:1d g48 0x0000_0x0000 ....%d".....g48...x...........................
74 3 0x0000000000000024 1391127658.655030 29.988962 0.000000 89.967018 2 eth:lldp 00:25:64:22:b2:4d 01:80:c2:00:00:0e 0x88cc 0x1 120 0x0000000f 00:25:64:22:b2:1d g48 0x0000_0x0000 ....%d".....g48...x...........................
75 3 0x0000000000000024 1391127688.644126 29.989096 0.000000 119.956108 2 eth:lldp 00:25:64:22:b2:4d 01:80:c2:00:00:0e 0x88cc 0x1 120 0x0000000f 00:25:64:22:b2:1d g48 0x0000_0x0000 ....%d".....g48...x...........................
76 3 0x0000000000000024 1391127718.633023 29.988897 0.000000 149.945007 2 eth:lldp 00:25:64:22:b2:4d 01:80:c2:00:00:0e 0x88cc 0x1 120 0x0000000f 00:25:64:22:b2:1d g48 0x0000_0x0000 ....%d".....g48...x...........................Have fun analyzing!