Hello,

Another useful way is to create a Linux or Windows VM on which you can run 'Wireshark'. Place this VM on the VSS using portgroup 4095, allow promiscuous mode on that portgroup and place the wireshark VM upon it. It is far better to use a special VM for this than to use the ESXi console. I do this as a matter of course as many tools such as Extrahop, Xangati, Catbird, etc require this portgroup to actually work. From a security perspective login to the ESXi shell should be avoided except in a break glass situation.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009-2016

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

I agree that using a VM with Wireshark or tcpdump would be far better, but unfortunately this probably won't work in this case, even with the catch-all 4095 VLAN and promiscuous mode.

Just like its LLDP counterpart, CDP is link-layer protocol using a special multicast destination MAC - frames will not be forwarded between directly attached links, i.e. they will be terminated at the physical NIC. This is the reason why you need to use the pktcap-uw tool instead of tcpdump-uw (which only operates on vmkernel NICs) on the shell.

If the CDP multicast frames were forwarded like normal frames on the network, you would see information about every switch in the same layer 2 domain on every port at the same time.

Hello,

Agreed.

It really depends on why you need to use CDP. Granted you may not be able to get some of the data such as OS this way but you can get services, etc. The question I have for the OP is what is trying to be accomplished here? Wireshark in this way will get all connected systems, protocols used, and from there services on the other end.

I try to find solutions that do not require direct access to ESXi as it should not be logged into except in a break-glass situation.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009-2016

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast