{"id":577,"date":"2013-06-03T15:20:43","date_gmt":"2013-06-03T13:20:43","guid":{"rendered":""},"modified":"2020-08-05T10:42:09","modified_gmt":"2020-08-05T08:42:09","slug":"parsing-bgp-packets-using-tcpdump","status":"publish","type":"post","link":"https:\/\/nil.uniza.sk\/en\/parsing-bgp-packets-using-tcpdump\/","title":{"rendered":"Parsing BGP packets using tcpdump"},"content":{"rendered":"<p>We should use&nbsp;<em>tcpdump&nbsp;<\/em>tool to read BGP routing messages, of course, several ways are available.<\/p>\n\n\n\n<p><strong>Capturing BGP packets on the fly<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">tcpdump -i eth0 tcp port 179<\/pre>\n\n\n\n<p>where BGP uses as a transport TCP protocol on port number 179.&nbsp;<\/p>\n\n\n\n<p>Another way is:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">tcpdump -i eth0 tcp port 179<\/pre>\n\n\n\n<p><strong>Writing captured packets to a file<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">tcpdump -i eth0 tcp port 179 <strong>-w<\/strong> example.cap<\/pre>\n\n\n\n<p><strong>Reading BGP packets from a file<\/strong><\/p>\n\n\n\n<p>We need the &#8222;-r&#8220; switch<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">tcpdump <strong>-r <\/strong>example.cap tcp port 179<\/pre>\n\n\n\n<p>where the output will look like:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">15:40:26.554409 IP 10.0.0.2.35184 &gt; 10.0.0.1.bgp: Flags [S], seq 3430895318, win 16384, options [mss 1460], length 0\n15:40:26.564460 IP 10.0.0.1.bgp &gt; 10.0.0.2.35184: Flags [S.], seq 250722276, ack 3430895319, win 16384, options [mss 1460], length 0\n15:40:26.574573 IP 10.0.0.2.35184 &gt; 10.0.0.1.bgp: Flags [.], ack 1, win 16384, length 0\n15:40:26.574590 IP 10.0.0.2.35184 &gt; 10.0.0.1.bgp: Flags [.], seq 1:46, ack 1, win 16384, length 45: BGP, length: 45\n15:40:26.584639 IP 10.0.0.1.bgp &gt; 10.0.0.2.35184: Flags [.], seq 1:46, ack 46, win 16339, length 45: BGP, length: 45\n15:40:26.584681 IP 10.0.0.1.bgp &gt; 10.0.0.2.35184: Flags [.], seq 46:65, ack 46, win 16339, length 19: BGP, length: 19<\/pre>\n\n\n\n<div>where the first three packets here ara TCP TWH.<\/div>\n\n\n\n<p>If we need to print all the packet info, try:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><strong><span style=\"color:#0693e3\" class=\"color\">tcpdump <span style=\"background-color: #ffffe0;\">-v<\/span> -r r1.1-bgp.cap tcp port 179 <\/span><\/strong><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">15:40:26.554409 IP (tos 0xc0, ttl 1, id 64760, offset 0, flags [none], proto TCP (6), length 44)\n    10.0.0.2.35184 &gt; 10.0.0.1.bgp: Flags [S], cksum 0x9eaa (correct), seq 3430895318, win 16384, options [mss 1460], length 0\n15:40:26.564460 IP (tos 0xc0, ttl 255, id 17186, offset 0, flags [none], proto TCP (6), length 44)\n    10.0.0.1.bgp &gt; 10.0.0.2.35184: Flags [S.], cksum 0xd7c3 (correct), seq 250722276, ack 3430895319, win 16384, options [mss 1460], length 0\n15:40:26.574573 IP (tos 0xc0, ttl 1, id 64761, offset 0, flags [none], proto TCP (6), length 40)\n    10.0.0.2.35184 &gt; 10.0.0.1.bgp: Flags [.], cksum 0xef80 (correct), ack 1, win 16384, length 0\n15:40:26.574590 IP (tos 0xc0, ttl 1, id 64762, offset 0, flags [none], proto TCP (6), length 85)\n    10.0.0.2.35184 &gt; 10.0.0.1.bgp: Flags [.], cksum 0xc87d (correct), seq 1:46, ack 1, win 16384, length 45: BGP, length: 45\n        Open Message (1), length: 45\n          Version 4, my AS 100, Holdtime 180s, ID ARennes-651-1-107-2.w2-2.abo.wanadoo.fr\n          Optional parameters, length: 16\n            Option Capabilities Advertisement (2), length: 6\n              Multiprotocol Extensions (1), length: 4\n                AFI IPv4 (1), SAFI Unicast (1)\n            Option Capabilities Advertisement (2), length: 2\n              Route Refresh (Cisco) (128), length: 0\n            Option Capabilities Advertisement (2), length: 2\n              Route Refresh (2), length: 0\n<\/pre>","protected":false},"excerpt":{"rendered":"<p style=\"margin-top: 0px; margin-bottom: 0px; line-height: 13.1875px;\">\n\tWe should use&nbsp;<em>tcpdump&nbsp;<\/em>tool to read BGP routing messages, of course, several ways are available.<\/p>\n<p style=\"margin-top: 0px; margin-bottom: 0px; line-height: 13.1875px;\">\n\t<strong>Capturing BGP packets on the fly<\/strong><\/p>\n<pre style=\"line-height: 13.1875px;\">\r\ntcpdump -i eth0 tcp proto 179\r\n<\/pre>\n<p style=\"margin-top: 0px; margin-bottom: 0px; line-height: 13.1875px;\">\n\twhere BGP ip protocol number is 89, and the protocol field is the 9th octet on the ip header.<\/p>","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[685],"tags":[],"class_list":["post-577","post","type-post","status-publish","format-standard","hentry","category-linux_-_howto-en"],"taxonomy_info":{"category":[{"value":685,"label":"Linux - HOWTO"}]},"featured_image_src_large":false,"author_info":{"display_name":"admin","author_link":"https:\/\/nil.uniza.sk\/en\/author\/admin\/"},"comment_info":9,"category_info":[{"term_id":685,"name":"Linux - HOWTO","slug":"linux_-_howto-en","term_group":0,"term_taxonomy_id":683,"taxonomy":"category","description":"","parent":0,"count":71,"filter":"raw","cat_ID":685,"category_count":71,"category_description":"","cat_name":"Linux - HOWTO","category_nicename":"linux_-_howto-en","category_parent":0}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/577","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/comments?post=577"}],"version-history":[{"count":0,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/577\/revisions"}],"wp:attachment":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/media?parent=577"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/categories?post=577"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/tags?post=577"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}