Only the switch IP found

[jnmills]

LDWIN 2.1; AutoIT 3.3.14.2

I have a Netgear Prosafe GS 108T and i tried ldwin with it.

It only returned the switch IP address - no MAC or Port id

I changed the code to make a copy of the data out of tcpdump, and it is as follows (the line numbers at the start are mine, not in the file)

0 12:21:24.443497 LLDP, length 46
1 Chassis ID TLV (1), length 7
2 Subtype MAC address (4): 2c:b0:5d:a1:ac:fd
3 Port ID TLV (2), length 3
4 Subtype Local (7): g1
5 Time to Live TLV (3), length 2: TTL 120s
6 Management Address TLV (8), length 20
7 Management Address length 5, AFI IPv4 (1): 192.168.1.253
8 Interface Index Interface Numbering (2): 13
9 OID length 8broadcom
10 End TLV (0), length 0

Also worth noting ...

AutoIt refused to run the file from github: I had to comment out the include of GUIHyperlink.au3 to get it working.

Norton Security removed the LDWin.exe file, saying it was a known threat. If you rename LDwin.exe to something else it runs (although it complains about it being potentially abusing, but does label it low risk)

[tenox7]

"I changed the code". Is LDWin source code available anywhere?

[jnmills]

https://github.com/chall32/LDWin ?

From: Antoni Sawicki [mailto:notifications@github.com]
Sent: 25 September 2015 21:11
To: chall32/LDWin LDWin@noreply.github.com
Cc: jnmills jonathan.n.mills@gmail.com
Subject: Re: [LDWin] Only the switch IP found (#6)

"I changed the code". Is LDWin source code available anywhere?

—
Reply to this email directly or view it on GitHub #6 (comment) .

[tenox7]

oh wait... this is in autoit... I was looking for .c files ;)

[chall32]

OK, so looks like 2 issues here:

1. AV wrongly picking LDWin.exe up as a false positive; indeed it looks like 3 out of 43 vendors are wrongly identifying LDWin as malicious: https://www.metascan-online.com/#!/results/file/1dadd140ccbb4ca4870075131ea7166c/regular
   I'll follow this up.
2. Only switch IP returned. Looking at the LLDP RFC (http://standards.ieee.org/getieee802/download/802.1AB-2009.pdf):
   
   port id and chassis id are listed as mandatory TLV's so should be the same across all devices.... Would it be possible to let me have a (sanitised if you prefer) tcpdump output as discussed here: https://github.com/chall32/LDWin/wiki/What-To-Do-If-LDWin-Captures-No-Data
   To return port ID into the GUI, LDWin is looking for the text "Port Description TLV (4)" in the output of tcpdump. I'm wondering if there is some difference in the return from the Netgear switch which is causing LDWin not to pick up the correct info...

Thanks

Chris

[jnmills]

Chris

That was the (text) output from the tcpdump command – are you actually looking for the binary dump? I can capture that with wireshark

I am just about to go out: I will return this in a few hours I expect

Jonathan

From: Chris Hall [mailto:notifications@github.com]
Sent: 26 September 2015 11:11
To: chall32/LDWin LDWin@noreply.github.com
Cc: jnmills jonathan.n.mills@gmail.com
Subject: Re: [LDWin] Only the switch IP found (#6)

OK, so looks like 2 issues here:

1.  AV wrongly picking LDWin.exe up as a false positive; indeed it looks like 3 out of 43 vendors are wrongly identifying LDWin as malicious: https://www.metascan-online.com/#!/results/file/1dadd140ccbb4ca4870075131ea7166c/regular 
   

   I'll follow this up.

2.  Only switch IP returned. Looking at the LLDP RFC (http://standards.ieee.org/getieee802/download/802.1AB-2009.pdf): 
   

   https://cloud.githubusercontent.com/assets/1158765/10116979/6c6f5c48-643e-11e5-8b76-f8d2f476c934.png
   port id and chassis id are listed as mandatory TLV's so should be the same across all devices.... Would it be possible to let me have a (sanitised if you prefer) tcpdump output as discussed here: https://github.com/chall32/LDWin/wiki/What-To-Do-If-LDWin-Captures-No-Data
   To return port ID into the GUI, LDWin is looking for the text "Port Description TLV (4)" in the output of tcpdump. I'm wondering if there is some difference in the return from the Netgear switch which is causing LDWin not to pick up the correct info...

Thanks

Chris

—
Reply to this email directly or view it on GitHub #6 (comment) . https://github.com/notifications/beacon/AHwr-Wek6p-lAi06wSVs9QOW_xA12lIDks5o1ma0gaJpZM4GDxdU.gif

[chall32]

Hey Jonathan,

No problem. The full output from a LLDP packet capture, something like (as found on the internet):

09:15:04.185692 LLDP, length 151
    Chassis ID TLV (1), length 7
      Subtype MAC address (4): 00:15:60:85:74:12 (oui Unknown)
    Port ID TLV (2), length 4
      Subtype Local (7): 185
    Time to Live TLV (3), length 2: TTL 120s
    Port Description TLV (4), length 3: H17
    System Name TLV (5), length 11: Switch_System_Name
    System Description TLV (6), length 90
      HP J4865A ProCurve Switch 4108GL, revision G.07.93, ROM G.05.02
        (/sw/code/build/gamo(m03))
    System Capabilities TLV (7), length 4
      System  Capabilities [Bridge, Router] (0x0014)
      Enabled Capabilities [Bridge] (0x0004)
    Management Address TLV (8), length 12
      Management Address length 5, AFI IPv4 (1): switch_hostname.net
      Interface Index Interface Numbering (2): 0
    End TLV (0), length 0 

Would be good.

Thanks

Chris

[jnmills]

I thought I attached one to the original comment in the Issue: But here it is. The line numbers are my own.

12:21:24.443497 LLDP, length 46

            Chassis ID TLV (1), length 7

              Subtype MAC address (4): 2c:b0:5d:a1:ac:fd

            Port ID TLV (2), length 3

              Subtype Local (7): g1

            Time to Live TLV (3), length 2: TTL 120s

            Management Address TLV (8), length 20

              Management Address length 5, AFI IPv4 (1): 192.168.1.253

              Interface Index Interface Numbering (2): 13

              OID length 8broadcom

            End TLV (0), length 0

It may be that the Netgear ProSafe switch isn’t that compliant with a standard. I have to admin the only thing I really want out of it was the Port ID which tells me where I am connected to (in this case g1)

From: Chris Hall [mailto:notifications@github.com]
Sent: 26 September 2015 11:29
To: chall32/LDWin LDWin@noreply.github.com
Cc: jnmills jonathan.n.mills@gmail.com
Subject: Re: [LDWin] Only the switch IP found (#6)

Hey Jonathan,

No problem. The full output from a LLDP packet capture, something like (as found on the internet):

09:15:04.185692 LLDP, length 151
Chassis ID TLV (1), length 7
Subtype MAC address (4): 00:15:60:85:74:12 (oui Unknown)
Port ID TLV (2), length 4
Subtype Local (7): 185
Time to Live TLV (3), length 2: TTL 120s
Port Description TLV (4), length 3: H17
System Name TLV (5), length 11: Switch_System_Name
System Description TLV (6), length 90
HP J4865A ProCurve Switch 4108GL, revision G.07.93, ROM G.05.02
(/sw/code/build/gamo(m03))
System Capabilities TLV (7), length 4
System Capabilities Bridge, Router
Enabled Capabilities Bridge
Management Address TLV (8), length 12
Management Address length 5, AFI IPv4 (1): switch_hostname.net
Interface Index Interface Numbering (2): 0
End TLV (0), length 0

Would be good.

Thanks

Chris

—
Reply to this email directly or view it on GitHub #6 (comment) . https://github.com/notifications/beacon/AHwr-eei7C5VuQLL1lOs3h3O4z0wPXMFks5o1mr3gaJpZM4GDxdU.gif

[jnmills]

Hi Chris.

Just a quick comment.

I did a bit of reading about LLDP. Afaict the only mandatory fields are port ID, chassis ID and time to live. You don't /have/ to send the textual descriptions?

What about displaying the description if you have it, otherwise the raw I'd?

Jonathan

Sent from my iPad

On 26 Sep 2015, at 11:29, Chris Hall notifications@github.com wrote:

Hey Jonathan,

No problem. The full output from a LLDP packet capture, something like (as found on the internet):

09:15:04.185692 LLDP, length 151
Chassis ID TLV (1), length 7
Subtype MAC address (4): 00:15:60:85:74:12 (oui Unknown)
Port ID TLV (2), length 4
Subtype Local (7): 185
Time to Live TLV (3), length 2: TTL 120s
Port Description TLV (4), length 3: H17
System Name TLV (5), length 11: Switch_System_Name
System Description TLV (6), length 90
HP J4865A ProCurve Switch 4108GL, revision G.07.93, ROM G.05.02
(/sw/code/build/gamo(m03))
System Capabilities TLV (7), length 4
System Capabilities Bridge, Router
Enabled Capabilities Bridge
Management Address TLV (8), length 12
Management Address length 5, AFI IPv4 (1): switch_hostname.net
Interface Index Interface Numbering (2): 0
End TLV (0), length 0
Would be good.

Thanks

Chris

—
Reply to this email directly or view it on GitHub.

[chall32]

Have a test of v2.2 👍

Release 2.2 - 28 Sept 2015

• Added support for LLDP "Chassis ID TLV (1)"
• Added support for LLDP "Port ID TLV (2)"

Yeah, probably should have supported them from the get go, but hey they are supported now!

Let me know how you get on

Chris

[jnmills]

That’s cool …. It identifies my port not! And the switch name … Brill, thanks.

Jonathan

From: Chris Hall [mailto:notifications@github.com]
Sent: 28 September 2015 17:43
To: chall32/LDWin LDWin@noreply.github.com
Cc: jnmills jonathan.n.mills@gmail.com
Subject: Re: [LDWin] Only the switch IP found (#6)

Have a test of v2.2 https://assets-cdn.github.com/images/icons/emoji/unicode/1f44d.png

Release 2.2 - 28 Sept 2015

• Added support for LLDP "Chassis ID TLV (1)"
• Added support for LLDP "Port ID TLV (2)"

Yeah, probably should have supported them from the get go, but hey they are supported now!

Let me know how you get on

Chris

—
Reply to this email directly or view it on GitHub #6 (comment) . https://github.com/notifications/beacon/AHwr-Yw6bdRSl3yOpNPcGDxVBZ3Lybwuks5o2WWvgaJpZM4GDxdU.gif

[chall32]

Excellent 😄 Issue closed