So I'm having a strange issue trying to capture CDP packets. I wrote my own light weight application utilizing the wpcap.dll and built a filter and a parser everything was working fine until I started testing with other computers. It was then I figured out that my application will NOT capture CDP packets if wire shark is not running.
It is capturing an parsing packets fine I can see them scrolling by but I never get a CDP hit. My switches are set to advertise every 60 seconds but I can leave my program open for 10 mins and then open wireshark and get a CDP packet. If I close Wireshark I no longer see the CDP packets.
I'm using the filter 'ether[20:2] == 0x2000' looking for type '0x01E3'
asked 18 Apr, 06:29
Destination MAC address of a CDP packet is a multicast address. Therefore to be able to get such a packet to the application layer your network card has to accept it.
This can be achieved by setting the network card to promiscuous mode (which does Wireshark resp. the WINpcap driver). Or another way is to join this multicast address at the OS level.