This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

LLC/CDP flood

0

Hi,

I am seeing on my network a flood of LLC packets all seeming to come from the same MAC address (which is a mitel phone about 4 switches away from the capturing PC).

Even stranger it is now unpluged and I am still seeing the traffic!!

So I need some help in picking apart the wireshark log and tracking down where this data is coming from.

23535   58.942635000    172.16.225.136  CDP/VTP/DTP/PAgP/UDLD   CDP 121 Device ID: SEP08000F4D55BB  Port ID: Port 1

asked 14 Aug '12, 04:23

DevilWAH's gravatar image

DevilWAH
11334
accept rate: 0%


2 Answers:

0

CDP is a Cisco proprietary protocol. They use it to learn about other switches in the network.

http://de.wikipedia.org/wiki/Cisco_Discovery_Protocol

So, these packets are from one of your switches, that has CDP enabled. It's nothing to worry about, as long as it is not really flooding the network with these packets.

You can disable CDP with this command:

no cdp enable

For further information, please check the Cisco site:

http://www.cisco.com/en/US/tech/tk962/technologies_tech_note09186a00801aa000.shtml

BTW:

I am seeing on my network a flood of LLC packets

What is a flood in that case? How many packtes per second/minute do you see?

Regards
Kurt

answered 14 Aug '12, 07:09

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 14 Aug '12, 07:09

0

As CDP packets are multicast packets, they can be forwarded by switches if they do not absorb them. Cisco switches will receive the CDP packets and not forward them. Maybe your L2 network has a loop that is not blocked anywhere with spanning-tree, maybe only for a specific vlan?

The fact that you have a storm of these messages even after you disconnect the source does suggest a loop too.

What kind of switches are you using and what does the topology look like?

answered 14 Aug '12, 10:02

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%