Menu Close

Parsing BGP packets using tcpdump

We should use tcpdump tool to read BGP routing messages, of course, several ways are available.

Capturing BGP packets on the fly

tcpdump -i eth0 tcp port 179

where BGP uses as a transport TCP protocol on port number 179. 

Another way is:

tcpdump -i eth0 tcp port 179

Writing captured packets to a file

tcpdump -i eth0 tcp port 179 -w example.cap

Reading BGP packets from a file

We need the “-r” switch

tcpdump -r example.cap tcp port 179

where the output will look like:

15:40:26.554409 IP 10.0.0.2.35184 > 10.0.0.1.bgp: Flags [S], seq 3430895318, win 16384, options [mss 1460], length 0
15:40:26.564460 IP 10.0.0.1.bgp > 10.0.0.2.35184: Flags [S.], seq 250722276, ack 3430895319, win 16384, options [mss 1460], length 0
15:40:26.574573 IP 10.0.0.2.35184 > 10.0.0.1.bgp: Flags [.], ack 1, win 16384, length 0
15:40:26.574590 IP 10.0.0.2.35184 > 10.0.0.1.bgp: Flags [.], seq 1:46, ack 1, win 16384, length 45: BGP, length: 45
15:40:26.584639 IP 10.0.0.1.bgp > 10.0.0.2.35184: Flags [.], seq 1:46, ack 46, win 16339, length 45: BGP, length: 45
15:40:26.584681 IP 10.0.0.1.bgp > 10.0.0.2.35184: Flags [.], seq 46:65, ack 46, win 16339, length 19: BGP, length: 19
where the first three packets here ara TCP TWH.

If we need to print all the packet info, try:

tcpdump -v -r r1.1-bgp.cap tcp port 179 
15:40:26.554409 IP (tos 0xc0, ttl 1, id 64760, offset 0, flags [none], proto TCP (6), length 44)
    10.0.0.2.35184 > 10.0.0.1.bgp: Flags [S], cksum 0x9eaa (correct), seq 3430895318, win 16384, options [mss 1460], length 0
15:40:26.564460 IP (tos 0xc0, ttl 255, id 17186, offset 0, flags [none], proto TCP (6), length 44)
    10.0.0.1.bgp > 10.0.0.2.35184: Flags [S.], cksum 0xd7c3 (correct), seq 250722276, ack 3430895319, win 16384, options [mss 1460], length 0
15:40:26.574573 IP (tos 0xc0, ttl 1, id 64761, offset 0, flags [none], proto TCP (6), length 40)
    10.0.0.2.35184 > 10.0.0.1.bgp: Flags [.], cksum 0xef80 (correct), ack 1, win 16384, length 0
15:40:26.574590 IP (tos 0xc0, ttl 1, id 64762, offset 0, flags [none], proto TCP (6), length 85)
    10.0.0.2.35184 > 10.0.0.1.bgp: Flags [.], cksum 0xc87d (correct), seq 1:46, ack 1, win 16384, length 45: BGP, length: 45
        Open Message (1), length: 45
          Version 4, my AS 100, Holdtime 180s, ID ARennes-651-1-107-2.w2-2.abo.wanadoo.fr
          Optional parameters, length: 16
            Option Capabilities Advertisement (2), length: 6
              Multiprotocol Extensions (1), length: 4
                AFI IPv4 (1), SAFI Unicast (1)
            Option Capabilities Advertisement (2), length: 2
              Route Refresh (Cisco) (128), length: 0
            Option Capabilities Advertisement (2), length: 2
              Route Refresh (2), length: 0
Rate this post

2 Comments

  1. Marc

    Hi!
    Thanks a lot for the tutorial.
    Unfortunately in some of the tcpdump commands there is an error:
    – the correct commands would be like “tcpdump -i eth0 tcp port 179”
    – instead it says “tcpdump -i eth0 tcp proto 179”
    So it would be great if you could replace the proto with port.
    Best regards

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.