Menu Close

Parsing OSPF packets using tcpdump

Sometimes we need to capture and parse OSPF packets for next analysis and we have a comand line only, in my case on linux server with dynamips. We should use tcpdump tool for this purpose, of course, several ways are available.

Capturing OSPF packets on the fly

tcpdump -i eth0 ip[9] == 89

where OSPF ip protocol number is 89, and the protocol field is the 9th octet on the ip header.

Another way is:

tcpdump -i eth0 proto ospf

Writing captured packets to a file

tcpdump -i eth0 proto ospf -w example.cap

Reading ospf packet from a file

We need the "-r" switch

tcpdump -r example.cap proto ospf

where tha output will look like

reading from file example.cap, link-type EN10MB (Ethernet)
11:15:45.372823 IP > OSPFv2, Hello, length 60
11:15:45.440657 IP > OSPFv2, Hello, length 60
11:15:55.400764 IP > OSPFv2, Hello, length 60
11:15:55.437823 IP > OSPFv2, Hello, length 60
11:16:05.399377 IP > OSPFv2, Hello, length 60
11:16:05.436417 IP > OSPFv2, Hello, length 60
11:16:15.371454 IP > OSPFv2, Hello, length 60
11:16:15.439414 IP > OSPFv2, Hello, length 60

If we need to print all the packet info, try:

tcpdump -v -r example.cap proto ospf

and we should be able to see OSPF packet detail

11:15:45.372823 IP (tos 0xc0, ttl 1, id 303, offset 0, flags [none], proto OSPF (89), length 80) > OSPFv2, Hello, length 60 [len 48]
        Router-ID, Backbone Area, Authentication Type: none (0)
        Options [External, LLS]
          Hello Timer 10s, Dead Timer 40s, Mask, Priority 1
          Designated Router, Backup Designated Router
          Neighbor List:
          LLS: checksum: 0xfff6, length: 3
            Extended Options (1), length: 4
              Options: 0x00000001 [LSDB resync]


-i defines capturing interface,

-r read from a file,

-v be verbose,

-vv be very verbose.

1/5 - (1 vote)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.