Set NIC for Invoke-DiscoveryProtocolCapture? No discovery protocol packets captured

Question

Set NIC for Invoke-DiscoveryProtocolCapture? No discovery protocol packets captured

Schmittfinger opened this issue 2 years ago · 2 comments

Hi,

I'm searching for a scriptable solution to get LLDP and CDP-Infos on Windows Servers - after some searching I found your PSDiscoveryProtocol-Project.

I tried it on a Windows Server 2022 Standard hardware-machine.
LLDP is active on the switches (with LDWin or pktmon [https://alanjmcf.wordpress.com/2022/04/15/lldp-cdp-on-windows-with-no-extra-software/] I get a result).

With your PSDiscovery-module:

$Packet = Invoke-DiscoveryProtocolCapture -Type LLDP (tried Duration from 30sec to 600sec)

WARNING: No discovery protocol packets captured on XXX in <$Duration> seconds.

Get-DiscoveryProtocolData -Packet $Packet

Get-DiscoveryProtocolData : Cannot bind argument to parameter 'Packet' because it is null.

I have some more Ethernet-Cards in this server (some are active and some not).

Is there an option for "Invoke-DiscoveryProtocolCapture" to set a specific Ethernet-Card?
Is this only for clients (like Windows 10 etc.) and have trouble with Windows-Server-OS in general?

Kind regards,
Sebastian

Answer 1 · 2022-12-21T17:07:03.000Z

PSDiscoveryProtocol should work on Windows 10/Windows Server 2016 and later. Invoke-DiscoveryProtocolCapture will attempt to capture on all adapters returned by Get-NetAdapter -Physical | Where-Object { $_.Status -eq 'Up' -and $_.InterfaceType -eq 6 }. I tried it today on a Windows Server 2022 with three adapters connected to two different switches and successfully captured LLDP on all of them.

Try to run Invoke-DiscoveryProtocolCapture -Type LLDP -NoCleanup -Verbose. You should get a line like VERBOSE: ETLFilePath: C:\Users\username\AppData\Local\Temp\tmpAB12.etl. Download etl2pcapng, use it to convert the etl to pcapng and open the pcapng in Wireshark. Do you see any LLDP packets in there?

If no LLDP packets were captured you can test capturing using the code below.

New-NetEventSession -Name LLDPTest -LocalFilePath C:\Windows\Temp\lldp_test.etl
Add-NetEventPacketCaptureProvider -SessionName LLDPTest -TruncationLength 0 -LinkLayerAddress '01-80-c2-00-00-0e', '01-80-c2-00-00-03', '01-80-c2-00-00-00'

Get-NetAdapter -Physical | Where-Object { $_.Status -eq 'Up' -and $_.InterfaceType -eq 6 } | ForEach-Object {
    Add-NetEventNetworkAdapter -Name $_.Name -PromiscuousMode $True
}

Start-NetEventSession -Name LLDPTest 
Start-Sleep -Seconds 31
Stop-NetEventSession -Name LLDPTest
Remove-NetEventSession -Name LLDPTest

You can also try to use -EtherType 0x88cc instead of -LinkLayerAddress '01-80-c2-00-00-0e', '01-80-c2-00-00-03', '01-80-c2-00-00-00'.

Answer 2 · 2023-01-25T19:59:19.000Z

@Schmittfinger Are you using NIC teaming? If so, please take a look at issue #22.