Primeiro, usar o comando abaixo para capturar os pacotes do CDP
tcpdump -evvvnni eth-s1p3c0 -s 1500 'ether[20:2] == 0x2000'
Ai o resultado vai ser tipo (vai ter q esperar um pouco) - se der tudo certo
tcpdump: listening on eth-s1p3c0, link-type EN10MB (Ethernet), capture size 1500 bytes
17:54:33.159616 I 00:04:4d:be:ef:43 > 01:00:0c:cc:cc:cc, 802.3, length 417: LLC, dsap SNAP (0xaa), ssap SNAP (0xaa), cmd 0x03: oui CISCO SYSTEMS, INC. (0x00000c), pid CDP (0x2000): CDPv2, ttl: 180s, checksum: 692 (unverified), length 395
Device-ID (0x01), length: 21 bytes: 'Switch1'
Address (0x02), length: 13 bytes: IPv4 (1) 192.168.0.1
Port-ID (0x03), length: 15 bytes: 'FastEthernet0/1'
Capability (0x04), length: 4 bytes: (0x0000000a): Transparent Bridge, L2 Switch
Version String (0x05), length: 222 bytes:
Cisco Internetwork Operating System Software
IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5)WC13, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Tue 20-Sep-05 10:05 by antonino
Platform (0x06), length: 17 bytes: 'cisco WS-C3524-XL'
Protocol-Hello option (0x08), length: 32 bytes:
VTP Management Domain (0x09), length: 7 bytes: 'MDL2050'
Native VLAN ID (0x0a), length: 2 bytes: 1
Duplex (0x0b), length: 1 byte: full
Management Addresses (0x16), length: 13 bytes: IPv4 (1) 192.168.0.1
Ou ainda, pode-se usar o endereço de multcast camada 2 do CDP da Cisco
tcpdump -enni eth0 | grep 01:00:0c:cc:cc:cc
output
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth-s1p3c0, link-type EN10MB (Ethernet), capture size 96 bytes
18:02:33.342744 I 00:04:4d:be:ef:43 > 01:00:0c:cc:cc:cc, 802.3, length 417: LLC, dsap SNAP (0xaa), ssap SNAP (0xaa), cmd 0x03: oui CISCO SYSTEMS, INC. (0x00000c), pid CDP (0x2000): CDPv2, ttl: 180s, Device-ID 'Switch1'[|cdp]
https://sites.google.com/site/jimmyxu101/testing/use-tcpdump-to-monitor-http-traffic