Do you want to parse CDP or LLDP information? Do you run Windows 11? As I recently found out it might not be as straight forward as expected.

Turns out Microsoft removed some useful capabilities from the built in network tools from Windows 11.

After extensive searching and trying several tools, obviously also including having ChatGPT write me some scripts that failed I decided to do it manually with Wireshark instead for a much better experience. To clarify I did not try all tools that I found as I could not at the time validate them before running.

In the end I wrote a simple powershell script to get the active interface, start a capture on it in wireshark, sleep for a minute and a half and then use tshark to grab the CDP/LLDP data I needed. I will not share the script as I cannot really code in powershell, but what I can do is string a bunch of commands together to make it work!

The useful parts are the following:

Get the active ethernet adapter(s):

Get-NetAdapter -Physical | where name -ne 'Wi-Fi' | where status -eq 'connected' | foreach { $_.Name }

Run Tshark for 90 seconds on that interface:

C:\path\path\wireshark\tshark.exe -i "$NIC" -a duration:90 -w cdp.pcap

Grab the CDP/LLDP information:

C:\path\path\wireshark\tshark.exe .r cdp.pcap -Y "cdp || lldp" -V

I then took that output and just selected the things I wanted for that use case and programmatically removed the pcap, but that is not interresting here.

Ofcourse this can also be done in Wiresharks gui, just start a capture and filter for cdp || lldp.

CDP and LLDP contains lots of useful information about the network you are connecting to. The acronyms themselves gives a lot of it away, CDP - Cisco Discovery Protocol and LLDP - Link Layer Discovery Protocol, with the first being a proprietary protocol to the given manufacturer and the second being an open specification.

Data that they provide is very useful for troubleshooting network issues and can contain things such as VLAN, what port you are connected to, hostname, management IP and a lot more depending on configuration.

The default broadcast frequency is usually 60 seconds which is why I chose a 90 second capture.

For Linux the command lldpd will let you read the CDP and LLDP information straight off the network without doing a capture first. Example with a host connected to a switch that is configured wiht LLDP:

root@redacted:~# lldpcli 
[lldpcli] # sh nei det
LLDP neighbors:
Interface:    enp1s0f0, via: LLDP, RID: 1, Time: 12 days, 03:35:54
    ChassisID:    mac XX:XX:XX:f5:c8:94
    SysName:      switchfXXXX
    Capability:   Bridge, on
    PortID:       ifname gi10
    TTL:          120
  VLAN:         1, pvid: yes
[lldpcli] #

For more information about these protocols I recommend checking out some of these articles that dive deeper; Wikipedia, Wireshark, Cisco learning network

Previous Post Next Post