PSDiscoveryProtocol
PSDiscoveryProtocol copied to clipboard
No discover protocol packets captured even other tools work on this host.
Hello, first of all. THANK YOU for sharing!
fFor some reasons it doesn't work on every Server. I have for example 2 Windows Server with multiple NW Cards and it don't work for some. Even other tools are capable to read the LLDP Infos.
Any ideas, how we could find out the root cause together?
Please run Get-Module to verify that you are using PSDiscoveryProtocol 1.4.3.
@AlpSantoGlobalMomentumLLC, did you find out what version you are on?
Hello, thank you and sorry. I missed your fist answer.
Yes, i using 1.4.3
@AlpSantoGlobalMomentumLLC
Get-NetAdapter | Where-Object { $_.Status -eq 'Up' -and $_.InterfaceType -eq 6 }
Is the interface you want to capture listed when you run this code?
Yes.
@AlpSantoGlobalMomentumLLC
Try to run Invoke-DiscoveryProtocolCapture -NoCleanup -Verbose
. You should get a line like VERBOSE: ETLFilePath: C:\Users\username\AppData\Local\Temp\tmpAB12.etl
. Download etl2pcapng, use it to convert the etl to pcapng and open the pcapng in Wireshark. Do you see any CDP or LLDP packets in there?
THANK YOU! It looks like yes...
What you see in Wireshark is DTP frames. Not CDP or LLDP. Don’t know why the other tool is able to capture the LLDP frames. Are you able to capture LLDP with Wireshark?
@AlpSantoGlobalMomentumLLC Please test capturing using the code below.
New-NetEventSession -Name LLDPTest -LocalFilePath C:\Windows\Temp\lldp_test.etl
Add-NetEventPacketCaptureProvider -SessionName LLDPTest -TruncationLength 0 -LinkLayerAddress '01-80-c2-00-00-0e', '01-80-c2-00-00-03', '01-80-c2-00-00-00'
Get-NetAdapter | Where-Object { $_.Status -eq 'Up' -and $_.InterfaceType -eq 6 } | ForEach-Object {
Add-NetEventNetworkAdapter -Name $_.Name -PromiscuousMode $True
}
Start-NetEventSession -Name LLDPTest
Start-Sleep -Seconds 31
Stop-NetEventSession -Name LLDPTest
Remove-NetEventSession -Name LLDPTest
You can also try to use -EtherType 0x88cc
instead of -LinkLayerAddress '01-80-c2-00-00-0e', '01-80-c2-00-00-03', '01-80-c2-00-00-00'
.
Convert lldp_test.etl to pcapng and open in Wireshark. Still no LLDP?
Wireshark is not really an option.
-LinkLayerAddress
-EtherType 0x88cc
@AlpSantoGlobalMomentumLLC You did perform those last captures in an elevated PowerShell window, right?
yes
@AlpSantoGlobalMomentumLLC Maybe if we try to only capture on a single NIC:
New-NetEventSession -Name LLDPTest -LocalFilePath C:\Windows\Temp\lldp_test.etl
Add-NetEventPacketCaptureProvider -SessionName LLDPTest -TruncationLength 0 -EtherType 0x88cc
Add-NetEventNetworkAdapter -Name 'EmbeddedFlexibleLOM1Port4' -PromiscuousMode $True
Start-NetEventSession -Name LLDPTest
Start-Sleep -Seconds 62
Stop-NetEventSession -Name LLDPTest
Remove-NetEventSession -Name LLDPTest
I testet some things ... but more or less the same result. Strange!
@AlpSantoGlobalMomentumLLC You can try to capture CDP/LLDP using netsh trace or pktmon, but if NetEventSession is unable to capture I suspect the other builtin Windows tools will also fail.
In PSDiscoveryProtocol I use the NetEventSession cmdlets that are built into Windows. I'm afraid there is nothing else I can do to help. If you need to be able to capture LLDP using NetEventSession cmdlets you will have to ask Microsoft for help. Maybe they can explain why tcpdump is able to capture while the builtin tools fail.
Mmmm ... netsh did a capture