Man Linux: Main Page and Category List


       cdp - cdp packet generator


       cdp  -i  <interface> [-v -n x -l x -c c -r] [-D <string> -P <string> -L
       <string> -S <string> -F <ip address> -C <capabilities>]


       This manual page documents briefly the cdp command.  This  manual  page
       was  written  for  the Debian distribution because the original program
       does not have a manual page.

       CDP is a layer 2 protocol used by Cisco routers to discover each  other
       on  the  same link (segment). This protocol is not routed and therefore
       this tool is just usefull in the local segment.

       CDP messages contain information about the sending Cisco router.  These
       include  the device ID (hostname), port ID (which port was the sender),
       the platform running on, the software incl. version, what  the  box  is
       capable of and which network address (IP address) the interface has. If
       not configured otherwise, Cisco routers send these messages  out  every
       30  seconds.  In  our  case  (ethernet), they are send to a special MAC
       address (01:00:0C:CC:CC:CC) and therefore are received from every Cisco
       router  in  the  same segment. Other routers store the data and hold it
       for a time defined in the message (the tool uses  the  maximum  of  255

       Very  interesting  is, that Cisco IOS uses the device ID as key to find
       out if the received message is an update and the  neighbor  is  already
       known  or not. If the device ID is to long, this test seems to fail and
       you constantly fill up the routers memory.

       The CDP tool can be used in two different modi:

       The flood mode is used to send garbage CDP messages to the wire,  which
       has different effects to the routers depending on their IOS version. It
       is not tested very well, which version of IOS reacts in  which  way  on
       which  kind  of  Cisco hardware. So if you come across somthing, please
       report it. IOS 11.1(1) was tested and the router could match even  long
       device id´s but rebooted after receiving three or four random device id
       names. Most other IOS versions just store the message and fill  up  the
       memory. When you try to debug CDP events, all IOS we tested crashed and

       To use CDP, you have to specify the  ethernet  interface  you  will  be
       working on: -i eth0

       Everything else is optional.

       -v     verbose

       -n x   send x packets

       -l x   length of the device id string. Keep in mind, that the
              whole ethernet frame has to be smaller the 1514 bytes.
              The maximum length is therefore 1480 for the device id
              (default is 1400)

       -c c   fills the device id with the char ’c’ (default is ’A’)

       -r     makes the device id a random string of characters, which
              leads to no matching on the receiver Cisco and to memory fillup
              or crash


       Hint:  if  you want to flood the routers completly, start two processes
       of cdp with different sizes. One of them running on full size (1480) to
       fill  up  the  major part of the memory and another to fill up the rest
       with a length of 10 octets.

       The second mode for CDP is spoofing. You can enable this mode with  the
       command  line  option  -m 1. It has no actuall use for attacking router
       and is mostly targeted fro social engineering or just  to  confuse  the
       local  administrator. It is used to send out 100% valid CDP infromation
       packets which look like generated by other Cisco routers. Here, you can
       specify any part of a CDP message yourself.

       -i <interface> ethernet interface

       -v                     verbose

       -D <string>            device id string

       -P <string>            port id string

       -L <string>            platform string

       -S <string>            software string

       -F <ip address>        ip address of the interface

       -C  <capabilities>      the capabilities of the device you are claiming
       to be:
                     R - Router, T - Trans Bridge, B - Source Route Bridge,
                     S - Switch, H - Host, I - IGMP, r - Repeater
                     Combine the letters to a string: RI means Router and IGMP


       Which results on the cisco router in the following information:

       cisco#sh cdp neig detail


       Device ID: Linuxfirewall

       Entry address(es):

       IP address:

       Platform: Intel,  Capabilities: Router

       Interface: Ethernet0,  Port ID (outgoing port): Ethernet0

       Holdtime : 238 sec

       Version :

       Linux  vince  2.4.18-686  #1  Sun Apr 14 11:32:47 EST 2002 i686 unknown
       unknown GNU/Linux


       This manual page was written by Vince Mulhollon  <>,  for
       the Debian GNU/Linux system (but may be used by others).

                                January 1, 2003