Tutorial: Link Layer Discovery Protocol (LLDP)
layer 2Contents
Introduction
This tutorial discusses the plugin lldpDecode. It supplies vital information for troubleshooting and security related issues.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow lldpDecode txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here: dell-lldp-capture.pcap.
Please save it in your ~/data folder.
Now you are all set for analyzing LLDP traffic!
lldpDecode
The configuration of lldpDecode
lldpDecode
vi src/lldpDecode.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define LLDP_TTL_AGGR 1 // aggregate TTL values
#define LLDP_NUM_TTL 8 // Number of different TTL values to store
#define LLDP_OPT_TLV 1 // output optional TLVs
#define LLDP_STRLEN 20 // maximum length of short strings to store
#define LLDP_LSTRLEN 100 // maximum length of long strings to store
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...You may reconfigure that with t2conf or just edit the file. We leave it at the default value for this tutorial. Now run t2 on dell-lldp-capture.pcap.
================================================================================ Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 35047 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.8.14 02: lldpDecode, 0.8.14 03: txtSink, 0.8.14 [INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K) [INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K) Processing file: /home/wurst/data/dell-lldp-capture.pcap Link layer type: Ethernet [EN10MB/1] Dump start: 1391125982.327232 sec (Thu 30 Jan 2014 23:53:02 GMT) Dump stop : 1391127718.633023 sec (Fri 31 Jan 2014 00:21:58 GMT) Total dump duration: 1736.305791 sec (28m 56s) Finished processing. Elapsed time: 0.009078 sec Finished unloading flow memory. Time: 0.009117 sec Percentage completed: 100.00% Number of processed packets: 76 Number of processed bytes: 19494 (19.49 K) Number of raw bytes: 19494 (19.49 K) Number of pcap bytes: 20734 (20.73 K) Number of A packets: 76 [100.00%] Number of A bytes: 19494 (19.49 K) [100.00%] Average A packet load: 256.50 Average B packet load: 0.00 -------------------------------------------------------------------------------- lldpDecode: Aggregated lldpStat=0x2015 lldpDecode: Aggregated lldpTLVTypes=0x800001ff lldpDecode: Aggregated lldpCaps=0x001c, lldpEnCaps=0x001c lldpDecode: Number of LLDP packets: 76 [100.00%] -------------------------------------------------------------------------------- Headers count: min: 2, max: 2, average: 2.00 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 3 Number of processed A flows: 3 [100.00%] Number of request flows: 3 [100.00%] Total A/B flow asymmetry: 1.00 Total req/rply flow asymmetry: 1.00 Number of processed packets/flows: 25.33 Number of processed A packets/flows: 25.33 Number of processed total packets/s: 0.04 Number of processed A+B packets/s: 0.04 Number of processed A packets/s: 0.04 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of average processed flows/s: 0.00 Average full raw bandwidth: 90 b/s Average full bandwidth : 0 b/s Max number of flows in memory: 2 [0.00%] Memory usage: 0.01 GB [0.02%] Aggregated flowStat=0x0000000000000024 [INF] Layer 2 flows [INF] LLDPtawk -V lldpStat=0x2015
The lldpStat column with value 0x2015 is to be interpreted as follows: bit | lldpStat | Description ============================================================================= 0 | 0x0001 | Flow is LLPD 2 | 0x0004 | Optional TLV present 4 | 0x0010 | Organization specific TLV used 13 | 0x2000 | String truncated... increase LLDP_STRLENtawk -V lldpCaps=0x001c
The lldpCaps column with value 0x001c is to be interpreted as follows:
bit | lldpCaps | Description
=============================================================================
2 | 0x0004 | Bridge
3 | 0x0008 | WLAN access point
4 | 0x0010 | Router
The same applies for lldpEnCaps.
In the flow file you will see all relevant information about the devices and the ports. Note the TTL change in flow 1.
tcol ~/results/dell-lldp-capture_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto lldpStat lldpTTL lldpTLVTypes lldpChassis lldpPort lldpPortDesc lldpSysName lldpSysDesc lldpCaps_enCaps lldpMngmtAddr
A 2 0x0000000000000024 1391126776.632995 1391127226.963147 450.330152 1 2 eth:lldp 00:24:7e:e1:87:e9 01:80:c2:00:00:0e 0x88cc - - "-" 0 - - "-" 0 0 0x2015 120 0x800001ff 00:24:7e:e1:87:e9 "00:24:7e:e1:87:e9" "eth0" "Strike" "Ubuntu precise (12.04.4 LTS) Linux 3.2.0-58-generic #88-Ubuntu SMP Tue Dec 3 17:37:58 UTC 2013 x86_6" 0x001c_0x001c 192.168.122.1
A 1 0x0000000000000024 1391125982.327232 1391127564.359797 1582.032565 1 2 eth:lldp 28:93:fe:32:f4:2e 01:80:c2:00:00:0e 0x88cc - - "-" 0 - - "-" 0 0 0x2015 120;0 0x800000ff 28:93:fe:32:f4:2e "Gi0/46" "GigabitEthernet0/46" "4190_2nd_Data4.cisco" "Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)\n" 0x0014_0x0004
A 3 0x0000000000000024 1391127568.688015 1391127718.633023 149.945008 1 2 eth:lldp 00:25:64:22:b2:4d 01:80:c2:00:00:0e 0x88cc - - "-" 0 - - "-" 0 0 0x0001 120 0x0000000f 00:25:64:22:b2:1d "g48" "" "" "" 0x0000_0x0000Same for the packet file. The TTL change of flow 1 happens in packet 70.
tcol ~/results/dell-lldp-capture_packets.txt
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto lldpStat lldpTTL lldpTLVTypes lldpChassis lldpPort lldpPortDesc lldpSysName lldpCaps_enCaps lldpMngmtAddr l7Content
1 1 0x0000000000000024 1391125982.327232 0.000000 0.000000 0.000000 2 eth:lldp 28:93:fe:32:f4:2e 01:80:c2:00:00:0e 0x88cc 0x2015 120 0x800000ff 28:93:fe:32:f4:2e Gi0/46 GigabitEthernet0/46 4190_2nd_Data4.cisco 0x0014_0x0004 ...(..2.....Gi0/46...x\n.4190_2nd_Data4.cisco.com..Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)\nCopyright (c) 1986-2009 by Cisco Systems, Inc.\nCompiled Mon 09-Mar-09 18:10 by gereddy..GigabitEthernet0/46.............?.\t...........
2 1 0x0000000000000024 1391126012.232878 29.905645 0.000000 29.905645 2 eth:lldp 28:93:fe:32:f4:2e 01:80:c2:00:00:0e 0x88cc 0x2015 120 0x800000ff 28:93:fe:32:f4:2e Gi0/46 GigabitEthernet0/46 4190_2nd_Data4.cisco 0x0014_0x0004 ...(..2.....Gi0/46...x\n.4190_2nd_Data4.cisco.com..Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)\nCopyright (c) 1986-2009 by Cisco Systems, Inc.\nCompiled Mon 09-Mar-09 18:10 by gereddy..GigabitEthernet0/46.............?.\t...........
3 1 0x0000000000000024 1391126041.951325 29.718447 0.000000 59.624092 2 eth:lldp 28:93:fe:32:f4:2e 01:80:c2:00:00:0e 0x88cc 0x2015 120 0x800000ff 28:93:fe:32:f4:2e Gi0/46 GigabitEthernet0/46 4190_2nd_Data4.cisco 0x0014_0x0004 ...(..2.....Gi0/46...x\n.4190_2nd_Data4.cisco.com..Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)\nCopyright (c) 1986-2009 by Cisco Systems, Inc.\nCompiled Mon 09-Mar-09 18:10 by gereddy..GigabitEthernet0/46.............?.\t...........
4 1 0x0000000000000024 1391126071.934290 29.982965 0.000000 89.607056 2 eth:lldp 28:93:fe:32:f4:2e 01:80:c2:00:00:0e 0x88cc 0x2015 120 0x800000ff 28:93:fe:32:f4:2e Gi0/46 GigabitEthernet0/46 4190_2nd_Data4.cisco 0x0014_0x0004 ...(..2.....Gi0/46...x\n.4190_2nd_Data4.cisco.com..Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)\nCopyright (c) 1986-2009 by Cisco Systems, Inc.\nCompiled Mon 09-Mar-09 18:10 by gereddy..GigabitEthernet0/46.............?.\t...........
5 1 0x0000000000000024 1391126101.647649 29.713360 0.000000 119.320419 2 eth:lldp 28:93:fe:32:f4:2e 01:80:c2:00:00:0e 0x88cc 0x2015 120 0x800000ff 28:93:fe:32:f4:2e Gi0/46 GigabitEthernet0/46 4190_2nd_Data4.cisco 0x0014_0x0004 ...(..2.....Gi0/46...x\n.4190_2nd_Data4.cisco.com..Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)\nCopyright (c) 1986-2009 by Cisco Systems, Inc.\nCompiled Mon 09-Mar-09 18:10 by gereddy..GigabitEthernet0/46.............?.\t...........
6 1 0x0000000000000024 1391126131.417816 29.770166 0.000000 149.090591 2 eth:lldp 28:93:fe:32:f4:2e 01:80:c2:00:00:0e 0x88cc 0x2015 120 0x800000ff 28:93:fe:32:f4:2e Gi0/46 GigabitEthernet0/46 4190_2nd_Data4.cisco 0x0014_0x0004 ...(..2.....Gi0/46...x\n.4190_2nd_Data4.cisco.com..Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)\nCopyright (c) 1986-2009 by Cisco Systems, Inc.\nCompiled Mon 09-Mar-09 18:10 by gereddy..GigabitEthernet0/46.............?.\t...........
7 1 0x0000000000000024 1391126161.373344 29.955528 0.000000 179.046112 2 eth:lldp 28:93:fe:32:f4:2e 01:80:c2:00:00:0e 0x88cc 0x2015 120 0x800000ff 28:93:fe:32:f4:2e Gi0/46 GigabitEthernet0/46 4190_2nd_Data4.cisco 0x0014_0x0004 ...(..2.....Gi0/46...x\n.4190_2nd_Data4.cisco.com..Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)\nCopyright (c) 1986-2009 by Cisco Systems, Inc.\nCompiled Mon 09-Mar-09 18:10 by gereddy..GigabitEthernet0/46.............?.\t...........
...
70 1 0x0000000000000024 1391127564.359797 3.011554 0.000000 1582.032593 2 eth:lldp 28:93:fe:32:f4:2e 01:80:c2:00:00:0e 0x88cc 0x2015 0 0x800000ff 28:93:fe:32:f4:2e Gi0/46 GigabitEthernet0/46 4190_2nd_Data4.cisco 0x0014_0x0004 ...(..2.....Gi0/46............................
71 3 0x0000000000000024 1391127568.688015 0.000000 0.000000 0.000000 2 eth:lldp 00:25:64:22:b2:4d 01:80:c2:00:00:0e 0x88cc 0x1 120 0x0000000f 00:25:64:22:b2:1d g48 0x0000_0x0000 ....%d".....g48...x...........................
72 3 0x0000000000000024 1391127598.677046 29.989031 0.000000 29.989031 2 eth:lldp 00:25:64:22:b2:4d 01:80:c2:00:00:0e 0x88cc 0x1 120 0x0000000f 00:25:64:22:b2:1d g48 0x0000_0x0000 ....%d".....g48...x...........................
73 3 0x0000000000000024 1391127628.666068 29.989021 0.000000 59.978054 2 eth:lldp 00:25:64:22:b2:4d 01:80:c2:00:00:0e 0x88cc 0x1 120 0x0000000f 00:25:64:22:b2:1d g48 0x0000_0x0000 ....%d".....g48...x...........................
74 3 0x0000000000000024 1391127658.655030 29.988962 0.000000 89.967018 2 eth:lldp 00:25:64:22:b2:4d 01:80:c2:00:00:0e 0x88cc 0x1 120 0x0000000f 00:25:64:22:b2:1d g48 0x0000_0x0000 ....%d".....g48...x...........................
75 3 0x0000000000000024 1391127688.644126 29.989096 0.000000 119.956108 2 eth:lldp 00:25:64:22:b2:4d 01:80:c2:00:00:0e 0x88cc 0x1 120 0x0000000f 00:25:64:22:b2:1d g48 0x0000_0x0000 ....%d".....g48...x...........................
76 3 0x0000000000000024 1391127718.633023 29.988897 0.000000 149.945007 2 eth:lldp 00:25:64:22:b2:4d 01:80:c2:00:00:0e 0x88cc 0x1 120 0x0000000f 00:25:64:22:b2:1d g48 0x0000_0x0000 ....%d".....g48...x...........................Have fun analyzing!