Where is my server?

Today I noticed that we lost a server. Actually we new the place but not the Switchport it is connected to. You might say: just look for the MAC address — yeeesss, but it is connected via LACP, the first link was up, but the 2nd one — the one I was interested in — not. Or better to say, it was up but disabled by the lacp algorithm on the Linux machine.

What happened? Someone rewired the switch and changed the 2nd port of the server to some other Switchport. Sadly he wasn’t at hand to be send to the offside Datacenter to follow the cables.

Luckily I got the idea to check for the LLDP messages the Switch sends out on every port and catch it with tcpdump. A short google away was this wonderful website from Darren:

## Switch:
tcpdump -i eth0 -s 1500 -XX -c 1 'ether proto 0x88cc'

## Port and CDP Neighbor Info:
tcpdump -v -s 1500 -c 1 '(ether[12:2]=0x88cc or ether[20:2]=0x2000)' 

An output might look like

16:25:10.589903 LLDP, length 329
Subtype Local (7): Eth155/1/27
Port Description TLV (4), length 16: Ethernet155/1/27
System Name TLV (5), length 11: S1425-B2-01
Management Address length 5, AFI IPv4 (1):
Port VLAN Id Subtype (1)
port vlan id (PVID): 991

As you can see, among others, we get the Switch, Port and VLAN information. Yeehaw!


TCP offloading and Linux

When doing a tcpdump on recent hardware you get wrong information about single packets. You first have to do sth. like


case "${IF_NO_TOE,,}" in

if [ "$MODE" = start -a "$RUN" = true ]; then
TOE_OPTIONS="rx tx sg tso ufo gso gro lro rxvlan txvlan rxhash" for TOE_OPTION in $TOE_OPTIONS; do
/sbin/ethtool --offload "$IFACE" "$TOE_OPTION" off &>/dev/null || true done

Thanks to