Wireshark

Capture Filters

Network discovery protocols

An easy way to view discovery protocol traffic from a laptop is by using Wireshark and the capture filters below for CDP, LLDP and MNDP. Use the appropriate capture filter for the type of device you're trying to gather information about, or use all three of them in the same capture filter.

CDP

Cisco Discovery Protocol

ether host 01:00:0c:cc:cc:cc and ether[16:4] = 0x0300000C and ether[20:2] == 0x2000

LLDP

Link Layer Discovery Protocol

ether proto 0x88cc

MNDP

Mikrotik Discovery Protocol

udp dst port 5678 and udp src port 5678

CDP/LLDP/MNDP

All three of the above capture filters in one:

(ether host 01:00:0c:cc:cc:cc and ether[16:4] = 0x0300000C and ether[20:2] == 0x2000) or (ether proto 0x88cc) or (udp dst port 5678 and udp src port 5678)

Capturing on an interval in Linux

The command below will capture all traffic to/from 8.8.8.8. A new capture file will be created every 600 seconds (10 minutes).

dumpcap -b duration:600 -f "host 8.8.8.8" -w capture-google