Capture LLDP packets using tcpdump

Question

What is the format to capture LLDP packets on an interface using tcpdump?

I tried the following format but it dint work:

tcpdump -w test.pcap -i eth0 lldp -vv

score 42 · Accepted Answer · edited Dec 04 '19 at 06:59

42

tcpdump -w test.pcap -i eth0 ether proto 0x88cc

The Ethernet type for LLDP is 0x88cc, so the filter to see only LLDP packets is ether proto 0x88cc.

-v is useful when used with -w to print a short count of packets matched, like this: Got 11.

-w means "write the raw packets to the file, and don't print anything"; -v means "print verbosely", so ostensibly the arguments don't make sense together but with -w, the -v option provides some utility.

edited Dec 04 '19 at 06:59

Mike S

1,235
12
19

answered Aug 07 '13 at 07:02

12

To be fair, `-v` is quite useful in combination with `-w` -- it makes tcpdump print the number of packets captured (there is a line saying `Got #` which keeps updating). Without `-v` you only know how many packets were captured at the end of the capture. Until then you are completely blind. – chutz Aug 11 '15 at 06:04
1

This was helpful to me for excluding LLDP traffic with tcpdump. Thanks! – m0j0 Jun 07 '17 at 06:55
the needed magic in my case was `ether proto 0x88cc` or rather `not ether proto 0x88cc` – NiKiZe Sep 24 '21 at 18:17

Capture LLDP packets using tcpdump

1 Answers1