Detecting Switch Port

  • Published on Feb 28, 2026
  • 1 minute(s) read
  • aA
 Prev Next

Many times there is the question “what port on the switch is this plugged into”, that could be the capture interface or the management interface.

Management Interface

To detect this the utility pcap_switch decodes the CDPv2 traffic and outputs it in JSON format per below.

sudo tcpdump -i phy10 -w - | pcap_switch | jq

The example output looks like

{
  "Timestamp": "06:23:59.421.244.720",
  "Proto": "CDPv2",
  "TTL": 180,
  "TLV": [
    {
      "Type": "Device ID",
      "Length": 32,
      "Value": "sg2-r0719-tor9k()"
    },
    {
      "Type": "Address",
      "Length": 17,
      "Addresses": [
        {
          "Protocol": "IP",
          "Address": "192.168.1.1"
        }
      ]
    },
    {
      "Type": "Port ID",
      "Length": 16,
      "Value": "Ethernet1/32"
    }
  ]
}

Which can be extremely helpful in locating the switch and which port it is connected to.

Capture Interface

To locate what port a capture interface is connected to, use the following

 sudo stream_cat --follow --frame "capture.port==0" | pcap_switch

Note: this assumes no traffic is being MIRROR/SPAN session traffic is on the capture port.

FMADIO Packet Capture systems