An attacker can identify a CISCO device by sending a SYN packet to port 1999, which is for the Cisco Discovery Protocol (CDP). Please see the following link for more information:http://seclists.org/bugtraq/1999/Jan/0215.html