Detecting Switch LLDP name and ports per Capture Port

  • Published on Dec 11, 2024
  • 1 minute(s) read
  • aA
 Prev Next

It can be quite useful to decode the LLDP packet information on a per physical capture port. This can help understand what switchs and ports are being tapped.

The command is

 sudo stream_cat --follow --frame "capture.port==0" --bpf "ether proto 0x88cc" | tshark -r - -T ek | jq

The output looks like the following (it may take a few minutes for enough data to be buffered and flushed to get a correct output)

{
  "timestamp": "1733846568119",
  "layers": {
    "frame": {
      "frame_frame_encap_type": "1",
      "frame_frame_time": "Dec 11, 2024 00:02:48.119145212 SGT",
      "frame_frame_offset_shift": "0.000000000",
      "frame_frame_time_epoch": "1733846568.119145212",
      "frame_frame_time_delta": "2.822474511",
      "frame_frame_time_delta_displayed": "2.822474511",
      "frame_frame_time_relative": "164.867980609",
      "frame_frame_number": "109",
      "frame_frame_len": "196",
      "frame_frame_cap_len": "196",
      "frame_frame_marked": "0",
      "frame_frame_ignored": "0",
      "frame_frame_protocols": "eth:ethertype:lldp"
    },
    "eth": {
      "eth_eth_dst": "01:80:c2:00:00:0e",
      "eth_dst_eth_dst_resolved": "01:80:c2:00:00:0e",
      "eth_dst_eth_addr": "01:80:c2:00:00:0e",
      "eth_dst_eth_addr_resolved": "01:80:c2:00:00:0e",
      "eth_dst_eth_lg": "0",
      "eth_dst_eth_ig": "1",
      "eth_eth_src": "74:56:3c:0f:e8:b6",
      "eth_src_eth_src_resolved": "74:56:3c:0f:e8:b6",
      "eth_src_eth_addr": "74:56:3c:0f:e8:b6",
      "eth_src_eth_addr_resolved": "74:56:3c:0f:e8:b6",
      "eth_src_eth_lg": "0",
      "eth_src_eth_ig": "0",
      "eth_eth_type": "0x000088cc"
    },
    "lldp": {
      "lldp_text": "End of LLDPDU",
      "text_lldp_tlv_type": "0",
      "text_lldp_tlv_len": "0",
      "text_lldp_chassis_subtype": "4",
      "text_lldp_chassis_id_mac": "74:56:3c:0f:e8:b5",
      "text_lldp_port_subtype": "3",
      "text_lldp_port_id_mac": "74:56:3c:0f:e8:b6",
      "text_lldp_time_to_live": "120",
      "text_lldp_tlv_system_name": "AMI74563C0FE8B5",
      "text_lldp_tlv_system_desc": " Linux 5.4.210-ami #1 SMP Thu Sep 21 09:31:06 UTC 2023 armv7l",
      "text_lldp_tlv_system_cap": "0x0000009c",
      "lldp_tlv_system_cap_lldp_tlv_system_cap_other": "0",
      "lldp_tlv_system_cap_lldp_tlv_system_cap_repeater": "0",
      "lldp_tlv_system_cap_lldp_tlv_system_cap_bridge": "1",
      "lldp_tlv_system_cap_lldp_tlv_system_cap_wlan_access_pt": "1",
      "lldp_tlv_system_cap_lldp_tlv_system_cap_router": "1",
      "lldp_tlv_system_cap_lldp_tlv_system_cap_telephone": "0",
      "lldp_tlv_system_cap_lldp_tlv_system_cap_docsis_cable_device": "0",
      "lldp_tlv_system_cap_lldp_tlv_system_cap_station_only": "1",
      "text_lldp_tlv_enable_system_cap": "0x00000080",
      "lldp_tlv_enable_system_cap_lldp_tlv_enable_system_cap_other": "0",
      "lldp_tlv_enable_system_cap_lldp_tlv_enable_system_cap_repeater": "0",
      "lldp_tlv_enable_system_cap_lldp_tlv_enable_system_cap_bridge": "0",
      "lldp_tlv_enable_system_cap_lldp_tlv_enable_system_cap_wlan_access_pt": "0",
      "lldp_tlv_enable_system_cap_lldp_tlv_enable_system_cap_router": "0",
      "lldp_tlv_enable_system_cap_lldp_tlv_enable_system_cap_telephone": "0",
      "lldp_tlv_enable_system_cap_lldp_tlv_enable_system_cap_docsis_cable_device": "0",
      "lldp_tlv_enable_system_cap_lldp_tlv_enable_system_cap_station_only": "1",
      "text_lldp_mgn_address_len": "17",
      "text_lldp_mgn_address_subtype": "2",
      "text_lldp_mgn_addr_ip4": "192.168.2.213",
      "text_lldp_mgn_interface_subtype": "2",
      "text_lldp_mgn_interface_number": "4",
      "text_lldp_mgn_obj_len": "0",
      "text_lldp_mgn_addr_ip6": "fe80::7656:3cff:fe0f:e8b6",
      "text_lldp_port_desc": "eth1",
      "text_lldp_orgtlv_oui": "0x0000120f",
      "text_lldp_ieee_802_3_subtype": "0x00000001",
      "text_lldp_ieee_802_3_aggregation_status": "0x00000001",
      "lldp_ieee_802_3_aggregation_status_lldp_ieee_802_3_aggregation_status_cap": "1",
      "lldp_ieee_802_3_aggregation_status_lldp_ieee_802_3_aggregation_status_enabled": "0",
      "text_lldp_ieee_802_3_aggregated_port_id": "0",
.
.
.