Find Out Which Switch Port Connected to Server using tcpdump


In Corporate Environments, Some times, you need to find out which Network switch and switch port are connected to which NIC of the server. In these scenarios, you can use "tcpdump" command in your Linux/UNIX shell to find out network switch and switch port which is connected to a NIC.


Note: The server should have tcpdump installed to use this.


Here is the Syntax of the command: 
tcpdump -nn -v -i <NIC_INTERFACE> -s 1500 -c 1 'ether[20:2] == 0x2000
Example:


testsrv1:~ # tcpdump -nn -v -i eth3 -s 1500 -c 1 'ether[20:2] == 0x2000'
tcpdump: listening on eth3, link-type EN10MB (Ethernet), capture size 1500 bytes
03:25:22.146564 CDPv2, ttl: 180s, checksum: 692 (unverified), length 370
   Device-ID (0x01), length: 11 bytes: 'ch-bx48-sw13' 
   Address (0x02), length: 13 bytes: IPv4 (1) 192.168.1.15
   Port-ID (0x03), length: 15 bytes: 'FastEthernet0/7' 
   Capability (0x04), length: 4 bytes: (0x00000028): L2 Switch, IGMP snooping
   Version String (0x05), length: 220 bytes:
   Cisco Internetwork Operating System Software
   IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(14)EA1a, RELEASE SOFTWARE (fc1)
   Copyright (c) 1986-2003 by cisco Systems, Inc.
   Compiled Tue 02-Sep-03 03:33 by antonino
   Platform (0x06), length: 18 bytes: 'cisco WS-C2950T-24'
   Protocol-Hello option (0x08), length: 32 bytes:
   VTP Management Domain (0x09), length: 6 bytes: 'ecomrd'
   Duplex (0x0b), length: 1 byte: full
   AVVID trust bitmap (0x12), length: 1 byte: 0x00
   AVVID untrusted ports CoS (0x13), length: 1 byte: 0x00
1 packets captured
2 packets received by filter
0 packets dropped by kernel
testsrv1:~ #
In the above example, The network switch name and Port connected are highlighted. Hope this will be helpful :)

Share this

Related Posts

Previous
Next Post »

15 comments

Write comments
Anonymous
January 5, 2012 at 11:45 AM delete

tcpdump -i bond0 -c1 -s0 -XX ether host 01:00:0c:cc:cc:cc and greater 60
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bond0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:20:36.771091 CDPv2, ttl: 180s, Device-ID 'DCA101S5B-Shared', length 388
0x0000: 0100 0ccc cccc 0024 50d6 bd8b 018c aaaa .......$P.......
0x0010: 0300 000c 2000 02b4 cbfc 0001 0014 4443 ..............DC
0x0020: 4131 3031 5335 422d 5368 6172 6564 0005 A101S5B-Shared..
0x0030: 00ba 4369 7363 6f20 494f 5320 536f 6674 ..Cisco.IOS.Soft
0x0040: 7761 7265 2c20 4333 3735 3020 536f 6674 ware,.C3750.Soft
0x0050: 7761 7265 2028 4333 3735 302d 4950 4241 ware.(C3750-IPBA
0x0060: 5345 2d4d 292c 2056 6572 7369 6f6e 2031 SE-M),.Version.1
0x0070: 322e 3228 3335 2953 4535 2c20 5245 4c45 2.2(35)SE5,.RELE
0x0080: 4153 4520 534f 4654 5741 5245 2028 6663 ASE.SOFTWARE.(fc
0x0090: 3129 0a43 6f70 7972 6967 6874 2028 6329 1).Copyright.(c)
0x00a0: 2031 3938 362d 3230 3037 2062 7920 4369 .1986-2007.by.Ci
0x00b0: 7363 6f20 5379 7374 656d 732c 2049 6e63 sco.Systems,.Inc
0x00c0: 2e0a 436f 6d70 696c 6564 2054 6875 2031 ..Compiled.Thu.1
0x00d0: 392d 4a75 6c2d 3037 2031 393a 3135 2062 9-Jul-07.19:15.b
0x00e0: 7920 6e61 6368 656e 0006 001b 6369 7363 y.nachen....cisc
0x00f0: 6f20 5753 2d43 3337 3530 472d 3234 5453 o.WS-C3750G-24TS
0x0100: 2d31 5500 0200 1100 0000 0101 01cc 0004 -1U.............
0x0110: 0ad4 0031 0003 0019 4769 6761 6269 7445 ...1....GigabitE
0x0120: 7468 6572 6e65 7433 2f30 2f31 3100 0400 thernet3/0/11...
0x0130: 0800 0000 2900 0800 2400 000c 0112 0000 ....)...$.......
0x0140: 0000 ffff ffff 0102 21ff 0000 0000 0000 ........!.......
0x0150: 0025 b42e 3e80 ff00 0000 0900 0b44 4341 .%..>........DCA

Reply
avatar
January 5, 2012 at 11:48 AM delete

Hello, You cannot use this with bonding interface, since its combination two physical NICs. Try to use with eth*

Reply
avatar
June 5, 2012 at 8:57 PM delete

You can use it even with bonding interfaces, it seems

[root@elcgepulmx02 ~]# tcpdump -nn -v -i bond0 -s 1500 -c 1 'ether[20:2] == 0x2000'
tcpdump: listening on bond0, link-type EN10MB (Ethernet), capture size 1500 bytes
17:21:09.193551 CDPv2, ttl: 180s, checksum: 692 (unverified), length 392
Device-ID (0x01), length: 23 bytes: 'edggep10swt011.elsag.it'
Version String (0x05), length: 190 bytes:
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(52)SE, RELEASE SOFTWARE (fc3)
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Fri 25-Sep-09 07:33 by sasyamal
Platform (0x06), length: 20 bytes: 'cisco WS-C3750E-24TD'
Address (0x02), length: 13 bytes: IPv4 (1) 151.89.39.61
Port-ID (0x03), length: 20 bytes: 'GigabitEthernet4/0/6'
Capability (0x04), length: 4 bytes: (0x00000028): L2 Switch, IGMP snooping
Protocol-Hello option (0x08), length: 32 bytes:
VTP Management Domain (0x09), length: 0 byte: ''

Reply
avatar
June 5, 2012 at 8:59 PM delete

It seems that is possible to obtain the desired informations even if there are bonding interfaces...

[root@elcgepulmx02 ~]# tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes

0 packets captured
1 packets received by filter
0 packets dropped by kernel
[root@elcgepulmx02 ~]# tcpdump -nn -v -i bond0 -s 1500 -c 1 'ether[20:2] == 0x2000'
tcpdump: listening on bond0, link-type EN10MB (Ethernet), capture size 1500 bytes
17:21:09.193551 CDPv2, ttl: 180s, checksum: 692 (unverified), length 392
Device-ID (0x01), length: 23 bytes: 'edggep10swt011.elsag.it'
Version String (0x05), length: 190 bytes:
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(52)SE, RELEASE SOFTWARE (fc3)
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Fri 25-Sep-09 07:33 by sasyamal
Platform (0x06), length: 20 bytes: 'cisco WS-C3750E-24TD'
Address (0x02), length: 13 bytes: IPv4 (1) 151.89.39.61
Port-ID (0x03), length: 20 bytes: 'GigabitEthernet4/0/6'
Capability (0x04), length: 4 bytes: (0x00000028): L2 Switch, IGMP snooping
Protocol-Hello option (0x08), length: 32 bytes:
VTP Management Domain (0x09), length: 0 byte: ''
1 packets captured
1 packets received by filter
0 packets dropped by kernel
[root@elcgepulmx02 ~]#

Reply
avatar
June 6, 2012 at 7:32 PM delete

@Leoni di Marmo Touch Rugby,

Thanks for the info. Stay connected

Reply
avatar
Anonymous
June 26, 2012 at 10:11 AM delete

hi there,
i work in a linuc environment and am suprised it didnt work from my desktop.
any reason why?

Reply
avatar
June 26, 2012 at 4:35 PM delete

It may be your switch is not support CDP or discover protocols, i believe

Reply
avatar
Anonymous
August 1, 2013 at 2:34 PM delete

Hi there,
How can we find the same thing (switch port connected) from OS in HP UX without using tcpdump. Thanks in advance.

Reply
avatar
Anonymous
April 20, 2016 at 8:18 PM delete

It doesn't work on Foundry switch. Please advise.

Reply
avatar
Anonymous
July 9, 2016 at 6:31 AM delete

superb..thank you

Reply
avatar
Anonymous
November 19, 2016 at 1:21 PM delete

@Prathiban : Hope we can get this switch name & port details while the ethernet(ex:- eth0) link is up. But any idea how to get the details while the ethernet link is down from OS itself ?. Anywhere the old logs available or any other method using any commands ?

Reply
avatar
Anonymous
November 22, 2017 at 5:50 PM delete

You can't.. Get the other servers in the rack, connected to the same switch and get the switch, port, etc., info!

Reply
avatar
Joe
April 1, 2018 at 10:21 PM delete

check the switch's mac address table and match the mac addresses to the hosts that are connected to them. It'd also a good habit to label the switch ports in the config.

Reply
avatar
Anonymous
July 4, 2018 at 1:00 PM delete

Hey, This command syntax is not working for RHEL7. Is there any parameter we need to change?

Reply
avatar
Anonymous
August 22, 2019 at 6:39 PM delete

... or use lldptool

Reply
avatar

What do you think about this Article? Add your Opinion..! EmoticonEmoticon