A L2 LLDP Profile for Wireshark

Post Views: 158
[featured_image]
Download
  • Version
  • Download 11
  • File Size 70.19 KB
  • File Count 1
  • Create Date March 30, 2026
  • Last Updated March 30, 2026

A L2 LLDP Profile for Wireshark

LLDP (Link Layer Discovery Protocol) is a vendor-neutral Layer 2 protocol defined by the IEEE 802.1AB that allows network devices to advertise identity and capabilities to directly connected neighbors on the same Ethernet segment.  Think of LLDP as a “hello, here’s who I am and what I can do” broadcast at Layer 2.

How LLDP Works (Mechanically)
  • Operates at OSI Layer 2 (Data Link)
  • Uses Ethernet frames with:
    • EtherType: 0x88cc
    • Destination MAC: 01:80:c2:00:00:0e (link-local multicast)
  • Devices periodically transmit LLDP frames (default ~30 seconds)
  • Information is encoded as TLVs (Type-Length-Value fields)
  • Each device builds a neighbor table from received LLDP advertisements.
What Information LLDP Carries (Key TLVs)

LLDP is entirely structured around TLVs. The most important ones are:

Mandatory TLVs (must exist)
  • Chassis ID → Unique device identifier (MAC, hostname, etc.)
  • Port ID → Interface identifier (e.g., Gi1/0/1)
  • Time-To-Live (TTL) → How long the info is valid
Common Optional TLVs
  • System Name → Hostname
  • System Description → OS/version (e.g., IOS, JunOS)
  • Port Description → Interface description
  • System Capabilities → Switch, router, bridge, etc.
LLDP-MED (Media Endpoint Discovery)

LLDP is extended by LLDP-MED (used heavily in VoIP environments):

  • Voice VLAN assignment
  • QoS policy (802.1p/DSCP)
  • Power over Ethernet (PoE) requirements
  • Device classification (IP phone, softphone, etc.)

This is critical for:

  • IP phone auto-configuration
  • Plug-and-play enterprise deployments
Why LLDP Matters in Real Networks
1. Network Discovery / Topology Mapping
  • Automatically identifies what is connected to what
  • Used by tools to build Layer 2 topology maps
2. Troubleshooting
  • Verify:
    • Correct neighbor connections
    • Wrong ports / cabling errors
    • Missing devices
3. Zero-Touch Provisioning
  • Devices learn:
    • VLANs
    • QoS policies
    • Power requirements
4. Multi-Vendor Interoperability
  • Unlike proprietary protocols (e.g., Cisco CDP), LLDP works across vendors
Key Characteristics (Important for Troubleshooting)
  • Unidirectional protocol
    • Each device independently advertises
    • You must validate both directions
  • No routing involved
    • Stays on the local link only
  • Soft-state protocol
    • Entries expire if advertisements stop (TTL-based aging)
  • Not secure by default
    • Information is visible to any connected device

When troubleshooting LLDP in Wireshark, the goal is to isolate LLDP frames, inspect TLVs (Type-Length-Value fields), and identify mismatches, missing advertisements, or malformed data.  This profile will help do this with Display Filter buttons and column information key to studying and verifying LLDP messages.

Did you find this useful?  Would you change or modify this file in any way?  Let us know - you can leave comments at our Discord server.

If you would like to see more content and articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!

  Profile     Wireshark     LLDP  

Leave a Reply

Scroll to Top