Closed jnmills closed 8 years ago
"I changed the code". Is LDWin source code available anywhere?
https://github.com/chall32/LDWin ?
From: Antoni Sawicki [mailto:notifications@github.com] Sent: 25 September 2015 21:11 To: chall32/LDWin LDWin@noreply.github.com Cc: jnmills jonathan.n.mills@gmail.com Subject: Re: [LDWin] Only the switch IP found (#6)
"I changed the code". Is LDWin source code available anywhere?
— Reply to this email directly or view it on GitHub https://github.com/chall32/LDWin/issues/6#issuecomment-143340789 .
oh wait... this is in autoit... I was looking for .c files ;)
OK, so looks like 2 issues here:
Thanks
Chris
Chris
That was the (text) output from the tcpdump command – are you actually looking for the binary dump? I can capture that with wireshark
I am just about to go out: I will return this in a few hours I expect
Jonathan
From: Chris Hall [mailto:notifications@github.com] Sent: 26 September 2015 11:11 To: chall32/LDWin LDWin@noreply.github.com Cc: jnmills jonathan.n.mills@gmail.com Subject: Re: [LDWin] Only the switch IP found (#6)
OK, so looks like 2 issues here:
AV wrongly picking LDWin.exe up as a false positive; indeed it looks like 3 out of 43 vendors are wrongly identifying LDWin as malicious: https://www.metascan-online.com/#!/results/file/1dadd140ccbb4ca4870075131ea7166c/regular
I'll follow this up.
Only switch IP returned. Looking at the LLDP RFC (http://standards.ieee.org/getieee802/download/802.1AB-2009.pdf):
https://cloud.githubusercontent.com/assets/1158765/10116979/6c6f5c48-643e-11e5-8b76-f8d2f476c934.png port id and chassis id are listed as mandatory TLV's so should be the same across all devices.... Would it be possible to let me have a (sanitised if you prefer) tcpdump output as discussed here: https://github.com/chall32/LDWin/wiki/What-To-Do-If-LDWin-Captures-No-Data To return port ID into the GUI, LDWin is looking for the text "Port Description TLV (4)" in the output of tcpdump. I'm wondering if there is some difference in the return from the Netgear switch which is causing LDWin not to pick up the correct info...
Thanks
Chris
— Reply to this email directly or view it on GitHub https://github.com/chall32/LDWin/issues/6#issuecomment-143416964 . https://github.com/notifications/beacon/AHwr-Wek6p-lAi06wSVs9QOW_xA12lIDks5o1ma0gaJpZM4GDxdU.gif
Hey Jonathan,
No problem. The full output from a LLDP packet capture, something like (as found on the internet):
09:15:04.185692 LLDP, length 151
Chassis ID TLV (1), length 7
Subtype MAC address (4): 00:15:60:85:74:12 (oui Unknown)
Port ID TLV (2), length 4
Subtype Local (7): 185
Time to Live TLV (3), length 2: TTL 120s
Port Description TLV (4), length 3: H17
System Name TLV (5), length 11: Switch_System_Name
System Description TLV (6), length 90
HP J4865A ProCurve Switch 4108GL, revision G.07.93, ROM G.05.02
(/sw/code/build/gamo(m03))
System Capabilities TLV (7), length 4
System Capabilities [Bridge, Router] (0x0014)
Enabled Capabilities [Bridge] (0x0004)
Management Address TLV (8), length 12
Management Address length 5, AFI IPv4 (1): switch_hostname.net
Interface Index Interface Numbering (2): 0
End TLV (0), length 0
Would be good.
Thanks
Chris
I thought I attached one to the original comment in the Issue: But here it is. The line numbers are my own.
12:21:24.443497 LLDP, length 46
Chassis ID TLV (1), length 7
Subtype MAC address (4): 2c:b0:5d:a1:ac:fd
Port ID TLV (2), length 3
Subtype Local (7): g1
Time to Live TLV (3), length 2: TTL 120s
Management Address TLV (8), length 20
Management Address length 5, AFI IPv4 (1): 192.168.1.253
Interface Index Interface Numbering (2): 13
OID length 8broadcom
End TLV (0), length 0
It may be that the Netgear ProSafe switch isn’t that compliant with a standard. I have to admin the only thing I really want out of it was the Port ID which tells me where I am connected to (in this case g1)
From: Chris Hall [mailto:notifications@github.com] Sent: 26 September 2015 11:29 To: chall32/LDWin LDWin@noreply.github.com Cc: jnmills jonathan.n.mills@gmail.com Subject: Re: [LDWin] Only the switch IP found (#6)
Hey Jonathan,
No problem. The full output from a LLDP packet capture, something like (as found on the internet):
09:15:04.185692 LLDP, length 151 Chassis ID TLV (1), length 7 Subtype MAC address (4): 00:15:60:85:74:12 (oui Unknown) Port ID TLV (2), length 4 Subtype Local (7): 185 Time to Live TLV (3), length 2: TTL 120s Port Description TLV (4), length 3: H17 System Name TLV (5), length 11: Switch_System_Name System Description TLV (6), length 90 HP J4865A ProCurve Switch 4108GL, revision G.07.93, ROM G.05.02 (/sw/code/build/gamo(m03)) System Capabilities TLV (7), length 4 System Capabilities Bridge, Router Enabled Capabilities Bridge Management Address TLV (8), length 12 Management Address length 5, AFI IPv4 (1): switch_hostname.net Interface Index Interface Numbering (2): 0 End TLV (0), length 0
Would be good.
Thanks
Chris
— Reply to this email directly or view it on GitHub https://github.com/chall32/LDWin/issues/6#issuecomment-143418071 . https://github.com/notifications/beacon/AHwr-eei7C5VuQLL1lOs3h3O4z0wPXMFks5o1mr3gaJpZM4GDxdU.gif
Hi Chris.
Just a quick comment.
I did a bit of reading about LLDP. Afaict the only mandatory fields are port ID, chassis ID and time to live. You don't /have/ to send the textual descriptions?
What about displaying the description if you have it, otherwise the raw I'd?
Jonathan
Sent from my iPad
On 26 Sep 2015, at 11:29, Chris Hall notifications@github.com wrote:
Hey Jonathan,
No problem. The full output from a LLDP packet capture, something like (as found on the internet):
09:15:04.185692 LLDP, length 151 Chassis ID TLV (1), length 7 Subtype MAC address (4): 00:15:60:85:74:12 (oui Unknown) Port ID TLV (2), length 4 Subtype Local (7): 185 Time to Live TLV (3), length 2: TTL 120s Port Description TLV (4), length 3: H17 System Name TLV (5), length 11: Switch_System_Name System Description TLV (6), length 90 HP J4865A ProCurve Switch 4108GL, revision G.07.93, ROM G.05.02 (/sw/code/build/gamo(m03)) System Capabilities TLV (7), length 4 System Capabilities Bridge, Router Enabled Capabilities Bridge Management Address TLV (8), length 12 Management Address length 5, AFI IPv4 (1): switch_hostname.net Interface Index Interface Numbering (2): 0 End TLV (0), length 0 Would be good.
Thanks
Chris
— Reply to this email directly or view it on GitHub.
Have a test of v2.2 :+1:
Yeah, probably should have supported them from the get go, but hey they are supported now!
Let me know how you get on
Chris
That’s cool …. It identifies my port not! And the switch name … Brill, thanks.
Jonathan
From: Chris Hall [mailto:notifications@github.com] Sent: 28 September 2015 17:43 To: chall32/LDWin LDWin@noreply.github.com Cc: jnmills jonathan.n.mills@gmail.com Subject: Re: [LDWin] Only the switch IP found (#6)
Have a test of v2.2 https://assets-cdn.github.com/images/icons/emoji/unicode/1f44d.png
Release 2.2 - 28 Sept 2015
Yeah, probably should have supported them from the get go, but hey they are supported now!
Let me know how you get on
Chris
— Reply to this email directly or view it on GitHub https://github.com/chall32/LDWin/issues/6#issuecomment-143800263 . https://github.com/notifications/beacon/AHwr-Yw6bdRSl3yOpNPcGDxVBZ3Lybwuks5o2WWvgaJpZM4GDxdU.gif
Excellent :smile: Issue closed
LDWIN 2.1; AutoIT 3.3.14.2
I have a Netgear Prosafe GS 108T and i tried ldwin with it.
It only returned the switch IP address - no MAC or Port id
I changed the code to make a copy of the data out of tcpdump, and it is as follows (the line numbers at the start are mine, not in the file)
0 12:21:24.443497 LLDP, length 46 1 Chassis ID TLV (1), length 7 2 Subtype MAC address (4): 2c:b0:5d:a1:ac:fd 3 Port ID TLV (2), length 3 4 Subtype Local (7): g1 5 Time to Live TLV (3), length 2: TTL 120s 6 Management Address TLV (8), length 20 7 Management Address length 5, AFI IPv4 (1): 192.168.1.253 8 Interface Index Interface Numbering (2): 13 9 OID length 8broadcom 10 End TLV (0), length 0
Also worth noting ...
AutoIt refused to run the file from github: I had to comment out the include of GUIHyperlink.au3 to get it working.
Norton Security removed the LDWin.exe file, saying it was a known threat. If you rename LDwin.exe to something else it runs (although it complains about it being potentially abusing, but does label it low risk)