Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10640
Views
8
Helpful
11
Replies

Identify Layer 2 devices in a Network

Go to solution
Anup Sasikumar
Level 1
Level 1

‎12-29-2012 04:30 AM - edited ‎03-07-2019 10:49 AM

Hi,

Is it possible to identify Layer 2 devices in a network without any third party tools ?

Lets say if I am checking out a network for the first time and I login to one of the PCs , I can get information on the Layer 3 gateway device from the default gateway configuration  But , Will I be able to identify Layer 2 devices present in the network without the help of any third party tools ?

Regards,

Anup

Regards,
Anup
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎12-29-2012 05:59 AM

Hello Anup,

Sadly, detecting Layer2 devices in a network from a position of an end host is almost an impossible task. Contrary to traceroute that exploits the ability to force indivdual routers into revealing their identity, there is no such standardized thing for Layer2 environments. Switches are absolutely transparent to transit traffic. They do not modify frames as they pass through them (save for trunking). Even if they drop frames (note that dropping is a relatively rare occasion), there is no signalling to tell the source station that the frame was discarded. So no matter what kind of user traffic you send, there is no way to persuade the switches to generate a frame on their own and send it back to you in response, or to record their identity somewhere into a frame.

You could try sniffing the Layer2 assistive protocols like CDP, LLDP, LOOP, STP, VTP, PAgP/LACP, UDLD and similar to learn about your nearest Layer2 device and perhaps about some other devices in the topology, too. However, none of these protocols will allow you to discover the entire Layer2 topology simply by observing the traffic from a single spot.

I am afraid that the task of discovering the Layer2 devices in a network is practically impossible without focusing on the Layer2 assistive protocols. For sure, a cheap non-manageable switch for a couple of bucks can not be detected at all, as it is totally transparent and does not ever originate any frames itself.

Best regards,

Peter

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎12-29-2012 05:59 AM

Hello Anup,

Sadly, detecting Layer2 devices in a network from a position of an end host is almost an impossible task. Contrary to traceroute that exploits the ability to force indivdual routers into revealing their identity, there is no such standardized thing for Layer2 environments. Switches are absolutely transparent to transit traffic. They do not modify frames as they pass through them (save for trunking). Even if they drop frames (note that dropping is a relatively rare occasion), there is no signalling to tell the source station that the frame was discarded. So no matter what kind of user traffic you send, there is no way to persuade the switches to generate a frame on their own and send it back to you in response, or to record their identity somewhere into a frame.

You could try sniffing the Layer2 assistive protocols like CDP, LLDP, LOOP, STP, VTP, PAgP/LACP, UDLD and similar to learn about your nearest Layer2 device and perhaps about some other devices in the topology, too. However, none of these protocols will allow you to discover the entire Layer2 topology simply by observing the traffic from a single spot.

I am afraid that the task of discovering the Layer2 devices in a network is practically impossible without focusing on the Layer2 assistive protocols. For sure, a cheap non-manageable switch for a couple of bucks can not be detected at all, as it is totally transparent and does not ever originate any frames itself.

Best regards,

Peter

0 Helpful

Go to solution
Anup Sasikumar
Level 1
Level 1
In response to Peter Paluch

‎12-29-2012 09:09 PM

Hi Peter,

Recently I was involved in a remote infrastructure analysis task wherein I had to get maximum information about a remote infrastructure. We had access only to a Server at the location. I was just curious if we could get some information regarding Layer 2 network devices present in the network. Now,but sadly I think it is not possible. Thank you so much for your response , Peter. It was very helpful.

Regards,

Anup

Regards,
Anup
0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Anup Sasikumar

‎12-30-2012 05:06 AM

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

As Peter noted, it's normally impossible to detect unmanaged switches as they don't have a "presence" on the network as themselves.

For managed switches, as Peter also described, they often generate "special" L2 control frames, that if "sniffed" would reveal their presence, and depending on the type of control frame, might reveal information about the switch.

However there's another method that often will reveal managed switches, although it is not 100% reliable.  This would be active probing address scans against different ports. A managed switch will often respond on its managed address to pings, SNMP, telnet and/or http.  How the switch responds, might provide additional clues to what device it is.  What address it responds on, also often provides clues that it's a switch (i.e. low or high series of addresses within a subnet, or all similar responses in the same [management] subnet).  Basically this is the same kind of technique used by those looking to break into a network.

There are some common reasons why active probling won't help include: the managed switch is configured to act like a non-managed switch (this is unusual), the managed switch has been properly secured (not as common as it should be), or the managed switch is mis-configured for remote access (not too common).

Go to solution
Anup Sasikumar
Level 1
Level 1
In response to Joseph W. Doherty

‎12-31-2012 01:21 AM

Hi Joseph,

Thanks for the great piece of information !

Additionally I was thinking of doing a MAC address lookup of the MAC address ( from ARP cache of the machine) corresponding to "suspected" switch IP got from active probing. That would provide some additional information as well right ?

Thanks,

Anup

Regards,
Anup
0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Anup Sasikumar

‎12-31-2012 01:39 AM

Hi,

the only info you would get from MAC address is from the OUI portion which will tell you the manufacturer but that's all you'll get.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Go to solution
Anup Sasikumar
Level 1
Level 1
In response to cadet alain

‎12-31-2012 01:45 AM

Hi Alain,

Yes , But lets say if I lookup and I get the manufacturer as Cisco , the chances are high that it will be a network device right ? I am not saying it's a reliable one but any additional information is always good !

Regards,

Anup

Regards,
Anup
0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to Anup Sasikumar

‎12-31-2012 01:54 AM

Hi Anup,

Additionally I was thinking of doing a MAC address lookup of the MAC  address ( from ARP cache of the machine) corresponding to "suspected"  switch IP got from active probing. That would provide some additional  information as well right ?

Please keep in mind that the MAC address of a switch would be in your ARP table only if you happened to be on the switch's management VLAN. I do not think this is going to be the case too often.

Best regards,

Peter

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Anup Sasikumar

‎12-31-2012 02:25 AM

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Additionally I was thinking of doing a MAC address lookup of the MAC address ( from ARP cache of the machine) corresponding to "suspected" switch IP got from active probing. That would provide some additional information as well right ?

I had thought to mention that but as Peter described, your system would have to be in the same L2 domain to see the ARP entry.

Peter is also correct, good chance you won't be on the management VLAN to see the switch's management MAC but looking up MAC's OUI address to vendor might be helpful when "sniffing" BPDUs.

PS:

BTW, some devices also have "signatures", i.e. how they construct some of their packets, that can be used to identify the host OS.

PPS:

Oh, also forgot to mention, sometimes if you do a ping scan that supports DNS reverse lookups, the management IP's DNS entry might indicate by its name that it's a switch.

0 Helpful

Go to solution
paul.strazza
Level 1
Level 1
In response to Joseph W. Doherty

‎12-31-2012 11:34 AM

Joseph..

I like the disclaimer.. u mind if I use it also?

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to paul.strazza

‎12-31-2012 04:27 PM

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

paul.strazza wrote:
 Joseph..
I like the disclaimer.. u mind if I use it also?

Laugh - most, I believe, dislike it (truth be known I don't like it either but we do live in a litigious society, sigh) - and it's a pain to paste into every posting - but yes you, or anyone else, are welcome to copy it.

0 Helpful

Go to solution
Rahul Kukreja
Level 1
Level 1
In response to Peter Paluch

‎12-31-2012 08:59 AM

Anup -

Just adding one more idea if that is helpful.

There is a possible way by which we could know the L2 hops in between the default gateway and PC (if we have the access to the Default Gateway). You may take a look at the following discussion and check for command -

https://supportforums.cisco.com/thread/2184184

traceroute mac

But I don't think there is a direct way of getting the full topology from the PC.

Regards,

Rahul

0 Helpful
Customers Also Viewed These Support Documents