Only the switch IP found about ldwin HOT 11 CLOSED

"I changed the code". Is LDWin source code available anywhere?

from ldwin.

https://github.com/chall32/LDWin ?

From: Antoni Sawicki [mailto:[email protected]]
Sent: 25 September 2015 21:11
To: chall32/LDWin [email protected]
Cc: jnmills [email protected]
Subject: Re: [LDWin] Only the switch IP found (#6)

"I changed the code". Is LDWin source code available anywhere?

—
Reply to this email directly or view it on GitHub #6 (comment) .

from ldwin.

oh wait... this is in autoit... I was looking for .c files ;)

from ldwin.

OK, so looks like 2 issues here:

1. AV wrongly picking LDWin.exe up as a false positive; indeed it looks like 3 out of 43 vendors are wrongly identifying LDWin as malicious: https://www.metascan-online.com/#!/results/file/1dadd140ccbb4ca4870075131ea7166c/regular
   I'll follow this up.
2. Only switch IP returned. Looking at the LLDP RFC (http://standards.ieee.org/getieee802/download/802.1AB-2009.pdf):
   
   port id and chassis id are listed as mandatory TLV's so should be the same across all devices.... Would it be possible to let me have a (sanitised if you prefer) tcpdump output as discussed here: https://github.com/chall32/LDWin/wiki/What-To-Do-If-LDWin-Captures-No-Data
   To return port ID into the GUI, LDWin is looking for the text "Port Description TLV (4)" in the output of tcpdump. I'm wondering if there is some difference in the return from the Netgear switch which is causing LDWin not to pick up the correct info...

Thanks

Chris

from ldwin.

Chris

That was the (text) output from the tcpdump command – are you actually looking for the binary dump? I can capture that with wireshark

I am just about to go out: I will return this in a few hours I expect

Jonathan

From: Chris Hall [mailto:[email protected]]
Sent: 26 September 2015 11:11
To: chall32/LDWin [email protected]
Cc: jnmills [email protected]
Subject: Re: [LDWin] Only the switch IP found (#6)

OK, so looks like 2 issues here:

1.  AV wrongly picking LDWin.exe up as a false positive; indeed it looks like 3 out of 43 vendors are wrongly identifying LDWin as malicious: https://www.metascan-online.com/#!/results/file/1dadd140ccbb4ca4870075131ea7166c/regular 
   

   I'll follow this up.

2.  Only switch IP returned. Looking at the LLDP RFC (http://standards.ieee.org/getieee802/download/802.1AB-2009.pdf): 
   

   https://cloud.githubusercontent.com/assets/1158765/10116979/6c6f5c48-643e-11e5-8b76-f8d2f476c934.png
   port id and chassis id are listed as mandatory TLV's so should be the same across all devices.... Would it be possible to let me have a (sanitised if you prefer) tcpdump output as discussed here: https://github.com/chall32/LDWin/wiki/What-To-Do-If-LDWin-Captures-No-Data
   To return port ID into the GUI, LDWin is looking for the text "Port Description TLV (4)" in the output of tcpdump. I'm wondering if there is some difference in the return from the Netgear switch which is causing LDWin not to pick up the correct info...

Thanks

Chris

—
Reply to this email directly or view it on GitHub #6 (comment) . https://github.com/notifications/beacon/AHwr-Wek6p-lAi06wSVs9QOW_xA12lIDks5o1ma0gaJpZM4GDxdU.gif

from ldwin.

Hey Jonathan,

No problem. The full output from a LLDP packet capture, something like (as found on the internet):

09:15:04.185692 LLDP, length 151
    Chassis ID TLV (1), length 7
      Subtype MAC address (4): 00:15:60:85:74:12 (oui Unknown)
    Port ID TLV (2), length 4
      Subtype Local (7): 185
    Time to Live TLV (3), length 2: TTL 120s
    Port Description TLV (4), length 3: H17
    System Name TLV (5), length 11: Switch_System_Name
    System Description TLV (6), length 90
      HP J4865A ProCurve Switch 4108GL, revision G.07.93, ROM G.05.02
        (/sw/code/build/gamo(m03))
    System Capabilities TLV (7), length 4
      System  Capabilities [Bridge, Router] (0x0014)
      Enabled Capabilities [Bridge] (0x0004)
    Management Address TLV (8), length 12
      Management Address length 5, AFI IPv4 (1): switch_hostname.net
      Interface Index Interface Numbering (2): 0
    End TLV (0), length 0 

Would be good.

Thanks

Chris

from ldwin.

I thought I attached one to the original comment in the Issue: But here it is. The line numbers are my own.

12:21:24.443497 LLDP, length 46

            Chassis ID TLV (1), length 7

              Subtype MAC address (4): 2c:b0:5d:a1:ac:fd

            Port ID TLV (2), length 3

              Subtype Local (7): g1

            Time to Live TLV (3), length 2: TTL 120s

            Management Address TLV (8), length 20

              Management Address length 5, AFI IPv4 (1): 192.168.1.253

              Interface Index Interface Numbering (2): 13

              OID length 8broadcom

            End TLV (0), length 0

It may be that the Netgear ProSafe switch isn’t that compliant with a standard. I have to admin the only thing I really want out of it was the Port ID which tells me where I am connected to (in this case g1)

From: Chris Hall [mailto:[email protected]]
Sent: 26 September 2015 11:29
To: chall32/LDWin [email protected]
Cc: jnmills [email protected]
Subject: Re: [LDWin] Only the switch IP found (#6)

Hey Jonathan,

No problem. The full output from a LLDP packet capture, something like (as found on the internet):

09:15:04.185692 LLDP, length 151
Chassis ID TLV (1), length 7
Subtype MAC address (4): 00:15:60:85:74:12 (oui Unknown)
Port ID TLV (2), length 4
Subtype Local (7): 185
Time to Live TLV (3), length 2: TTL 120s
Port Description TLV (4), length 3: H17
System Name TLV (5), length 11: Switch_System_Name
System Description TLV (6), length 90
HP J4865A ProCurve Switch 4108GL, revision G.07.93, ROM G.05.02
(/sw/code/build/gamo(m03))
System Capabilities TLV (7), length 4
System Capabilities Bridge, Router
Enabled Capabilities Bridge
Management Address TLV (8), length 12
Management Address length 5, AFI IPv4 (1): switch_hostname.net
Interface Index Interface Numbering (2): 0
End TLV (0), length 0

Would be good.

Thanks

Chris

—
Reply to this email directly or view it on GitHub #6 (comment) . https://github.com/notifications/beacon/AHwr-eei7C5VuQLL1lOs3h3O4z0wPXMFks5o1mr3gaJpZM4GDxdU.gif

from ldwin.

Hi Chris.

Just a quick comment.

I did a bit of reading about LLDP. Afaict the only mandatory fields are port ID, chassis ID and time to live. You don't /have/ to send the textual descriptions?

What about displaying the description if you have it, otherwise the raw I'd?

Jonathan

Sent from my iPad

On 26 Sep 2015, at 11:29, Chris Hall [email protected] wrote:

Hey Jonathan,

No problem. The full output from a LLDP packet capture, something like (as found on the internet):

09:15:04.185692 LLDP, length 151
Chassis ID TLV (1), length 7
Subtype MAC address (4): 00:15:60:85:74:12 (oui Unknown)
Port ID TLV (2), length 4
Subtype Local (7): 185
Time to Live TLV (3), length 2: TTL 120s
Port Description TLV (4), length 3: H17
System Name TLV (5), length 11: Switch_System_Name
System Description TLV (6), length 90
HP J4865A ProCurve Switch 4108GL, revision G.07.93, ROM G.05.02
(/sw/code/build/gamo(m03))
System Capabilities TLV (7), length 4
System Capabilities Bridge, Router
Enabled Capabilities Bridge
Management Address TLV (8), length 12
Management Address length 5, AFI IPv4 (1): switch_hostname.net
Interface Index Interface Numbering (2): 0
End TLV (0), length 0
Would be good.

Thanks

Chris

—
Reply to this email directly or view it on GitHub.

from ldwin.

Have a test of v2.2 👍

Release 2.2 - 28 Sept 2015

• Added support for LLDP "Chassis ID TLV (1)"
• Added support for LLDP "Port ID TLV (2)"

Yeah, probably should have supported them from the get go, but hey they are supported now!

Let me know how you get on

Chris

from ldwin.

That’s cool …. It identifies my port not! And the switch name … Brill, thanks.

Jonathan

From: Chris Hall [mailto:[email protected]]
Sent: 28 September 2015 17:43
To: chall32/LDWin [email protected]
Cc: jnmills [email protected]
Subject: Re: [LDWin] Only the switch IP found (#6)

Have a test of v2.2 https://assets-cdn.github.com/images/icons/emoji/unicode/1f44d.png

Release 2.2 - 28 Sept 2015

• Added support for LLDP "Chassis ID TLV (1)"
• Added support for LLDP "Port ID TLV (2)"

Yeah, probably should have supported them from the get go, but hey they are supported now!

Let me know how you get on

Chris

—
Reply to this email directly or view it on GitHub #6 (comment) . https://github.com/notifications/beacon/AHwr-Yw6bdRSl3yOpNPcGDxVBZ3Lybwuks5o2WWvgaJpZM4GDxdU.gif

from ldwin.

Excellent 😄 Issue closed

from ldwin.