Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No discover protocol packets captured even other tools work on this host. #29

Open
AlpSantoGlobalMomentumLLC opened this issue Dec 4, 2023 · 16 comments
Open

No discover protocol packets captured even other tools work on this host. #29

AlpSantoGlobalMomentumLLC opened this issue Dec 4, 2023 · 16 comments
Assignees
@lahell
Labels
question Further information is requested

Comments

@AlpSantoGlobalMomentumLLC
Copy link

AlpSantoGlobalMomentumLLC commented Dec 4, 2023
edited

Hello,
first of all. THANK YOU for sharing!

fFor some reasons it doesn't work on every Server.
I have for example 2 Windows Server with multiple NW Cards and it don't work for some.
Even other tools are capable to read the LLDP Infos.

image

Any ideas, how we could find out the root cause together?
@lahell
Copy link
Owner

lahell commented Dec 4, 2023

Please run Get-Module to verify that you are using PSDiscoveryProtocol 1.4.3.

@lahell lahell self-assigned this Dec 4, 2023
@lahell lahell added the question Further information is requested label Dec 4, 2023
@lahell
Copy link
Owner

lahell commented Dec 7, 2023

@AlpSantoGlobalMomentumLLC, did you find out what version you are on?

@AlpSantoGlobalMomentumLLC
Copy link
Author

AlpSantoGlobalMomentumLLC commented Dec 7, 2023
edited

Hello,
thank you and sorry. I missed your fist answer.

Yes, i using 1.4.3

image

@lahell
Copy link
Owner

lahell commented Dec 7, 2023

@AlpSantoGlobalMomentumLLC
Get-NetAdapter | Where-Object { $_.Status -eq 'Up' -and $_.InterfaceType -eq 6 }
Is the interface you want to capture listed when you run this code?

@AlpSantoGlobalMomentumLLC
Copy link
Author

Yes.
image

@lahell
Copy link
Owner

lahell commented Dec 7, 2023

@AlpSantoGlobalMomentumLLC
Try to run Invoke-DiscoveryProtocolCapture -NoCleanup -Verbose. You should get a line like VERBOSE: ETLFilePath: C:\Users\username\AppData\Local\Temp\tmpAB12.etl. Download etl2pcapng, use it to convert the etl to pcapng and open the pcapng in Wireshark. Do you see any CDP or LLDP packets in there?

@AlpSantoGlobalMomentumLLC
Copy link
Author

AlpSantoGlobalMomentumLLC commented Dec 7, 2023
edited

THANK YOU! It looks like yes... image

@lahell
Copy link
Owner

lahell commented Dec 7, 2023

What you see in Wireshark is DTP frames. Not CDP or LLDP. Don’t know why the other tool is able to capture the LLDP frames. Are you able to capture LLDP with Wireshark?

@lahell
Copy link
Owner

lahell commented Dec 7, 2023

@AlpSantoGlobalMomentumLLC
Please test capturing using the code below.

New-NetEventSession -Name LLDPTest -LocalFilePath C:\Windows\Temp\lldp_test.etl
Add-NetEventPacketCaptureProvider -SessionName LLDPTest -TruncationLength 0 -LinkLayerAddress '01-80-c2-00-00-0e', '01-80-c2-00-00-03', '01-80-c2-00-00-00'

Get-NetAdapter | Where-Object { $_.Status -eq 'Up' -and $_.InterfaceType -eq 6 } | ForEach-Object {
    Add-NetEventNetworkAdapter -Name $_.Name -PromiscuousMode $True
}

Start-NetEventSession -Name LLDPTest 
Start-Sleep -Seconds 31
Stop-NetEventSession -Name LLDPTest
Remove-NetEventSession -Name LLDPTest

You can also try to use -EtherType 0x88cc instead of -LinkLayerAddress '01-80-c2-00-00-0e', '01-80-c2-00-00-03', '01-80-c2-00-00-00'.

Convert lldp_test.etl to pcapng and open in Wireshark. Still no LLDP?

@AlpSantoGlobalMomentumLLC
Copy link
Author

AlpSantoGlobalMomentumLLC commented Dec 7, 2023
edited

Wireshark is not really an option.

-LinkLayerAddress
image

-EtherType 0x88cc
image

image

@lahell
Copy link
Owner

lahell commented Dec 7, 2023

@AlpSantoGlobalMomentumLLC
You did perform those last captures in an elevated PowerShell window, right?

@AlpSantoGlobalMomentumLLC
Copy link
Author

yes

image

@lahell
Copy link
Owner

lahell commented Dec 7, 2023
edited

@AlpSantoGlobalMomentumLLC
Maybe if we try to only capture on a single NIC:

New-NetEventSession -Name LLDPTest -LocalFilePath C:\Windows\Temp\lldp_test.etl
Add-NetEventPacketCaptureProvider -SessionName LLDPTest -TruncationLength 0 -EtherType 0x88cc
Add-NetEventNetworkAdapter -Name 'EmbeddedFlexibleLOM1Port4' -PromiscuousMode $True
Start-NetEventSession -Name LLDPTest 
Start-Sleep -Seconds 62
Stop-NetEventSession -Name LLDPTest
Remove-NetEventSession -Name LLDPTest

@AlpSantoGlobalMomentumLLC
Copy link
Author

I testet some things ... but more or less the same result. Strange!

image

image

@lahell
Copy link
Owner

lahell commented Dec 8, 2023

@AlpSantoGlobalMomentumLLC
You can try to capture CDP/LLDP using netsh trace or pktmon, but if NetEventSession is unable to capture I suspect the other builtin Windows tools will also fail.

In PSDiscoveryProtocol I use the NetEventSession cmdlets that are built into Windows. I'm afraid there is nothing else I can do to help. If you need to be able to capture LLDP using NetEventSession cmdlets you will have to ask Microsoft for help. Maybe they can explain why tcpdump is able to capture while the builtin tools fail.

@AlpSantoGlobalMomentumLLC
Copy link
Author

Mmmm ... netsh did a capture

image

@RobinBeismann RobinBeismann mentioned this issue Feb 8, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lahell lahell

Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lahell @AlpSantoGlobalMomentumLLC