I was trying to find out where vtp transparent switches stored the vtp information that they pass on to other switches (I’m now of the opinion that they don’t – I think they simply read vtp frames, check them for validity (domain/password) and then forward them on trunk ports).

Anyway, that got me looking at the contents of vlan.dat, and I found this perl script that partially decodes vlan.dat and I also came across this site where Marco Rizzi played around with the vlan.dat in a hex editor.

I then captured a few VTP packets in Wireshark which gave me a few clues about VLAN type, and think I have worked out the following fields for vlan.dat:

Byte#	Length	Purpose
Hex	Decimal
000	     4	Don't know - but always seems to be badb 100d
004	     4	Guessing - version number - always 2
008	     1	VTP mode:1=client;2=server;3=transparent
009	     1	Length of domain name
00a	    32	Domain Name
02b	     6	Revision Number
030	     4	Local updater ID (IP address)
034	     4	Last update on (interface id-lowest VLAN)
038	    12	Last modified time yymmddhhmmss
044	     8	MD5 hash (as seen on sh vtp status)
04c	     8  Don't know
054	     1	Password Length
055	    64	Password (in clear text)
095	     3	Number of VLANs
098	     8	Don't know: First 5.5 bytes seem to be 02020000 80e
From here on, there is a consistent 60 byte record repeated:
0a0	     1	Vlan Name Length
0a1	    32	Vlan Name
0c1	     2	Vlan Type:1=ethernet;2=FDDI;3=TR;4=fdnet;5=trnet
0c3	     1	Don't know - always 01
0c4	     2	MTU always 0x05dc(=1500)
0c6	     2	VLAN ID
0c8	     4	Vlan SAID: E.g value 0x000186A1(=100001)
0dc	    16	Don't know: Usually all 0

Finally, there is a bunch of stuff at the end which I haven’t been able to interpret