 |
PCAP2BGP - Extract BGP messages from pcap files
pcap2bgp reads the given pcap file(s),
assembles TCP data stream, and gleans the embedded BGP messages.
The BGP messages are displayed using the plain BGP text format.
BGP4MP|1052452930|W|198.58.5.254|3727|194.127.245.0/24
BGP4MP|1052452919|A|198.58.5.254|3727|195.28.224.0/19|3727 6730 8640|IGP|198.58.5.254|...
We also support to save BGP messages in MRT format, which can be then read by common MRT
parsers, such as bgpdump or
bgpparser.
This is particularly useful if the BGP endpoints are commodity boxes, which are
not able to export BGP messages in MRT format.
Similar to programs like 'tcpflow', pcap2bgp reconstructs the actual TCP data
streams. pcap2bgp understands TCP sequence numbers and construct data stream
regardless of TCP retransmissions, duplication, and out-of-sequence delivery.
However, instead of the raw TCP data stream, bgp2bgp further extracts and
outputs the BGP messages from the stream.
Example Usage
$ pcap2bgp.pl tcp.dmp # Read tcp.dmp and output BGP messages
$ pcap2bgp.pl -f "host 127.0.0.1" tcp.dmp # Output with host filter
$ pcap2bgp.pl --mrt --output=bgp.mrt tcp.dmp # Save to bgp.mrt with MRT format
$ pcap2bgp.pl --mrt tcp.dmp | bgpparser -m # Pipe the MRT output to bgpparser (or bgpdump)
Download
Known Issues
Currently, dealing with TCP sequence wrap-around is best
effort. One BGP message across the sequence boundary could be potentially skipped.
This happens roughly every wrap-around (every 2^32 bytes).
Because TCP trace can be taken anywhere in the middle of BGP session, this
program does not see the BGP option exchanges. Therefore, by default, this
program assumes the 2-Byte AS numbers, and outputs MRT messages using the
BGP4MP/BGP4MP_MESSAGE message type. This works fine given that the MRT parsers
(bgpdump, bgpparser) often do their own check on the AS numbers. However, if
the captured stream solely contains 4-Byte BGP sessions, the option
--use-mrt-as4 can be used to force output BGP4MP/BGP4MP_MESSAGE_AS4 messages.
|
|
