NAME
cdp - cdp packet generator
SYNOPSIS
cdp -i <interface> [-v -n x -l x -c c -r] [-D <string> -P <string> -L
<string> -S <string> -F <ip address> -C <capabilities>]
DESCRIPTION
This manual page documents briefly the cdp command. This manual page
was written for the Debian distribution because the original program
does not have a manual page.
CDP is a layer 2 protocol used by Cisco routers to discover each other
on the same link (segment). This protocol is not routed and therefore
this tool is just usefull in the local segment.
CDP messages contain information about the sending Cisco router. These
include the device ID (hostname), port ID (which port was the sender),
the platform running on, the software incl. version, what the box is
capable of and which network address (IP address) the interface has. If
not configured otherwise, Cisco routers send these messages out every
30 seconds. In our case (ethernet), they are send to a special MAC
address (01:00:0C:CC:CC:CC) and therefore are received from every Cisco
router in the same segment. Other routers store the data and hold it
for a time defined in the message (the tool uses the maximum of 255
seconds).
Very interesting is, that Cisco IOS uses the device ID as key to find
out if the received message is an update and the neighbor is already
known or not. If the device ID is to long, this test seems to fail and
you constantly fill up the routers memory.
The CDP tool can be used in two different modi:
The flood mode is used to send garbage CDP messages to the wire, which
has different effects to the routers depending on their IOS version. It
is not tested very well, which version of IOS reacts in which way on
which kind of Cisco hardware. So if you come across somthing, please
report it. IOS 11.1(1) was tested and the router could match even long
device id´s but rebooted after receiving three or four random device id
names. Most other IOS versions just store the message and fill up the
memory. When you try to debug CDP events, all IOS we tested crashed and
reboot.
To use CDP, you have to specify the ethernet interface you will be
working on: -i eth0
Everything else is optional.
-v verbose
-n x send x packets
-l x length of the device id string. Keep in mind, that the
whole ethernet frame has to be smaller the 1514 bytes.
The maximum length is therefore 1480 for the device id
(default is 1400)
-c c fills the device id with the char ’c’ (default is ’A’)
-r makes the device id a random string of characters, which
leads to no matching on the receiver Cisco and to memory fillup
or crash
Example:
Hint: if you want to flood the routers completly, start two processes
of cdp with different sizes. One of them running on full size (1480) to
fill up the major part of the memory and another to fill up the rest
with a length of 10 octets.
The second mode for CDP is spoofing. You can enable this mode with the
command line option -m 1. It has no actuall use for attacking router
and is mostly targeted fro social engineering or just to confuse the
local administrator. It is used to send out 100% valid CDP infromation
packets which look like generated by other Cisco routers. Here, you can
specify any part of a CDP message yourself.
-i <interface> ethernet interface
-v verbose
-D <string> device id string
-P <string> port id string
-L <string> platform string
-S <string> software string
-F <ip address> ip address of the interface
-C <capabilities> the capabilities of the device you are claiming
to be:
R - Router, T - Trans Bridge, B - Source Route Bridge,
S - Switch, H - Host, I - IGMP, r - Repeater
Combine the letters to a string: RI means Router and IGMP
Example:
Which results on the cisco router in the following information:
cisco#sh cdp neig detail
-------------------------
Device ID: Linuxfirewall
Entry address(es):
IP address: 10.1.1.1
Platform: Intel, Capabilities: Router
Interface: Ethernet0, Port ID (outgoing port): Ethernet0
Holdtime : 238 sec
Version :
Linux vince 2.4.18-686 #1 Sun Apr 14 11:32:47 EST 2002 i686 unknown
unknown GNU/Linux
AUTHOR
This manual page was written by Vince Mulhollon <vlm@debian.org>, for
the Debian GNU/Linux system (but may be used by others).
January 1, 2003