secdev
sniff - captured data (Cisco Discovery Protocol, CDP) beginning at 21st byte "faulty"
Brief description
trying to capture "CDP"-Frames (Cisco Discovery Protocol):
sniff(iface="LAN", count=1, timeout=60, filter="ether dst 01:00:0c:cc:cc:cc")
fails
>>> sniff(iface="LAN", count=1, timeout=60, filter="ether dst 01:00:0c:cc:cc:cc")
<Sniffed: TCP:0 UDP:0 ICMP:0 Other:1>
>>> a=_
>>> a.nsummary()
0000 802.3 e0:cb:bc:3b:ad:80 > 01:00:0c:cc:cc:cc / LLC / SNAP / Raw
>>> a[0]
<Dot3 dst=01:00:0c:cc:cc:cc src=e0:cb:bc:3b:ad:80 len=62 |<LLC dsap=0xaa ssap=0xaa ctrl=3 |<SNAP OUI=Cisco Systems, Inc (00:00:0c) code=0x111 |<Raw load=b'!\x01\xa8\xcc\x00\x01\x00\x10E0CBBC3BAD7B\x00\x02\x00\x055\x00\x03\x00\x08\x00\x00\x00\x00\x00\x04\x00\x05\x07\x00\x06\x00\x10E0CBBC3BAD7B' |>>>>
>>>
- ok => Source/Destination-MAC
- ok => len
- ok: => LLC AA-AA-03
- ok: => SNAP-OUI "00:00:0c"
- NOK:=> SNAP-CODE "0x111"
The original packet on the wire contained the value for SNAP-CODE = "0x2000".
Wireshark is able to capture these frames without issues.
Scapy version
- 2.5.0
- 2.6.0rc1
- 2.6.0rc1.dev31
Python version
- 3.12.4
- 3.11.6
- 3.10.11
Operating system
Windows 10
Additional environment information
From Wireshark.About:
Running on 64-bit Windows 10 (22H2), build 19045, with 12th Gen Intel(R) Core(TM) i5-1245U (with SSE4.2), with 16060 MB of physical memory, with GLib 2.78.0, with Qt 6.5.3, with Npcap version 1.71, based on libpcap version 1.10.2-PRE-GIT, with PCRE2 10.42 2022-12-11, with c-ares 1.19.0, with GnuTLS 3.8.3, with Gcrypt 1.10.2-unknown, with nghttp2 1.57.0, with nghttp3 1.0.0, with brotli 1.0.9, with LZ4 1.9.3, with Zstandard 1.5.2, without AirPcap, with light display mode, without HiDPI, with QPA plugin "windows", with LC_TYPE=German_Germany.utf8, binary plugins supported.
How to reproduce
- any Cisco-Catalyst-Switch with default-configuration
- copper 1000Base-T cabling
- standard Laptop/NIC
Actual result
wrong data captured:
- beginning at SNAP-Code data is wrong
- every python- and scapy combination I tried, it starts always with wrong SNAP-Code "0x0111"
non-CDP Data - looks normal
example:
- Spanning-Tree-Protocol
- UDP
- ARP
>>> p=sniff(iface="LAN", count=1, timeout=60)
>>> p[0]
<Dot3 dst=01:80:c2:00:00:00 src=e0:cb:bc:3b:ad:80 len=39 |<LLC dsap=0x42 ssap=0x42 ctrl=3 |<STP proto=0 version=2 bpdutype=2 bpduflags=60 rootid=32768 rootmac=e0:cb:bc:3b:ad:7b pathcost=0 bridgeid=32768 bridgemac=e0:cb:bc:3b:ad:7b portid=32773 age=0.0 maxage=20.0 hellotime=2.0 fwddelay=15.0 |<Raw load=b'\x00' |<Padding load=b'\x00\x00\x00\x00\x00\x00\x00' |>>>>>
>>> p=sniff(iface="LAN", count=1, timeout=60)
>>> p[0]
<Ether dst=33:33:00:00:00:fb src=00:50:56:b8:79:c4 type=IPv6 |<IPv6 version=6 tc=0 fl=386727 plen=70 nh=UDP hlim=255 src=fe80::250:56ff:feb8:79c4 dst=ff02::fb |<UDP sport=5353 dport=5353 len=70 chksum=0x8a7f |<DNS id=0 qr=0 opcode=QUERY aa=0 tc=0 rd=0 ra=0 z=0 ad=0 cd=0 rcode=ok qdcount=2 ancount=0 nscount=0 arcount=0 qd=[<DNSQR qname=b'Canon MX920 series._printer._tcp.local.' qtype=SRV unicastresponse=0 qclass=IN |>, <DNSQR qname=b'Canon MX920 series._printer._tcp.local.' qtype=TXT unicastresponse=0 qclass=IN |>] |>>>>
>>> p=sniff(iface="LAN", count=1, timeout=60)
>>> p[0]
<Ether dst=ff:ff:ff:ff:ff:ff src=30:5a:3a:12:43:a6 type=ARP |<ARP hwtype=Ethernet (10Mb) ptype=IPv4 hwlen=6 plen=4 op=who-has hwsrc=30:5a:3a:12:43:a6 psrc=192.168.12.12 hwdst=00:00:00:00:00:00 pdst=192.168.12.222 |<Padding load=b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' |>>>
Expected result
data captured as on the wire
Related resources
the original Wireshark-PCAP wireshark_cdp-capture_pcap.zip
