Žilinská univerzita > Fakulta riadenia a informatiky > Katedra informačných sietí

Parsing BGP packets using tcpdump

We should use tcpdump tool to read BGP routing messages, of course, several ways are available.

Capturing BGP packets on the fly

tcpdump -i eth0 tcp proto 179

where BGP ip protocol number is 89, and the protocol field is the 9th octet on the ip header.

Another way is:

tcpdump -i eth0  tcp proto 179

Writing captured packets to a file

tcpdump -i eth0  tcp proto 179 -w example.cap

Reading BGP packets from a file

We need the "-r" switch

tcpdump -r example.cap  tcp proto 179

where tha output will look like:

 

15:40:26.554409 IP 10.0.0.2.35184 > 10.0.0.1.bgp: Flags [S], seq 3430895318, win 16384, options [mss 1460], length 0
15:40:26.564460 IP 10.0.0.1.bgp > 10.0.0.2.35184: Flags [S.], seq 250722276, ack 3430895319, win 16384, options [mss 1460], length 0
15:40:26.574573 IP 10.0.0.2.35184 > 10.0.0.1.bgp: Flags [.], ack 1, win 16384, length 0
15:40:26.574590 IP 10.0.0.2.35184 > 10.0.0.1.bgp: Flags [.], seq 1:46, ack 1, win 16384, length 45: BGP, length: 45
15:40:26.584639 IP 10.0.0.1.bgp > 10.0.0.2.35184: Flags [.], seq 1:46, ack 46, win 16339, length 45: BGP, length: 45
15:40:26.584681 IP 10.0.0.1.bgp > 10.0.0.2.35184: Flags [.], seq 46:65, ack 46, win 16339, length 19: BGP, length: 19
where first three packets here ara TCP TWH.

 

If we need to print all the packet info, try:

 

tcpdump -v -r r1.1-bgp.cap tcp port 179 

 

15:40:26.554409 IP (tos 0xc0, ttl 1, id 64760, offset 0, flags [none], proto TCP (6), length 44)
    10.0.0.2.35184 > 10.0.0.1.bgp: Flags [S], cksum 0x9eaa (correct), seq 3430895318, win 16384, options [mss 1460], length 0
15:40:26.564460 IP (tos 0xc0, ttl 255, id 17186, offset 0, flags [none], proto TCP (6), length 44)
    10.0.0.1.bgp > 10.0.0.2.35184: Flags [S.], cksum 0xd7c3 (correct), seq 250722276, ack 3430895319, win 16384, options [mss 1460], length 0
15:40:26.574573 IP (tos 0xc0, ttl 1, id 64761, offset 0, flags [none], proto TCP (6), length 40)
    10.0.0.2.35184 > 10.0.0.1.bgp: Flags [.], cksum 0xef80 (correct), ack 1, win 16384, length 0
15:40:26.574590 IP (tos 0xc0, ttl 1, id 64762, offset 0, flags [none], proto TCP (6), length 85)
    10.0.0.2.35184 > 10.0.0.1.bgp: Flags [.], cksum 0xc87d (correct), seq 1:46, ack 1, win 16384, length 45: BGP, length: 45
        Open Message (1), length: 45
          Version 4, my AS 100, Holdtime 180s, ID ARennes-651-1-107-2.w2-2.abo.wanadoo.fr
          Optional parameters, length: 16
            Option Capabilities Advertisement (2), length: 6
              Multiprotocol Extensions (1), length: 4
                AFI IPv4 (1), SAFI Unicast (1)
            Option Capabilities Advertisement (2), length: 2
              Route Refresh (Cisco) (128), length: 0
            Option Capabilities Advertisement (2), length: 2
              Route Refresh (2), length: 0
Groups: