Cisco devices run a great protocol called CDP – Cisco Discovery Protocol. CDP is a Layer 2 protocol – router’s won’t pass it and therefore you’ll only be able to work with devices within your current broadcast domain. CDP runs on most Cisco devices by default, although can be disabled for security. Linux doesn’t support CDP by default, so you’ll need to grab cdp-tools from Untar cdp-tools.tar.gz and then build with ‘make’. If you get compile errors, you’re probably missing build-essential or libnet0-dev, both of which are required packages. CDP tools offer you two types of functionality.

Passive Listener

CDP tools can passively listen for CDP broadcasts sent to the broadcast MAC address 01-00-0c-cc-cc-cc

Run ./cdp-listen eth0 where eth0 is the interface you wish to listen on (duh)

./cdp-listen eth0

Shortly after, your connected Cisco device should appear:

# Interface: 	eth0
# Hostname: 	cisco-test
# Address:
# TimeToLive: 	180
# Capabilities: 	L2SW(switch) IGRP
# Networks: 	 

Configured networks on the device will appear, as do it’s IP and capabilities. Instead of cdp-listen, Wireshark also parses CDP packets. What more could you ask for from passive enumeration?


cdp-send on the other hand is capable of forging CDP packets in order to send to Cisco devices. Just run ./cdp-send with no parameters for the options.

./cdp-send eth0 -n "my-cisco" -m 12345 -p "Fas 0/0" -c l3r 

In production, it is usually recommended to DISABLE CDP on your Cisco devices unless strictly required. CDP discloses network information and increases network traffic. CDP is great for debugging and management.