IRL BGP Microscope
Home    |   tcptrace'    |   pcap2bgp    |   T-DAT    |   BGPlot

PCAP2BGP - Extract BGP messages from pcap files

pcap2bgp reads the given pcap file(s), assembles TCP data stream, and gleans the embedded BGP messages. The BGP messages are displayed using the plain BGP text format.
BGP4MP|1052452919|A||3727||3727 6730 8640|IGP||...
We also support to save BGP messages in MRT format, which can be then read by common MRT parsers, such as bgpdump or bgpparser. This is particularly useful if the BGP endpoints are commodity boxes, which are not able to export BGP messages in MRT format.

Similar to programs like 'tcpflow', pcap2bgp reconstructs the actual TCP data streams. pcap2bgp understands TCP sequence numbers and construct data stream regardless of TCP retransmissions, duplication, and out-of-sequence delivery. However, instead of the raw TCP data stream, bgp2bgp further extracts and outputs the BGP messages from the stream.

Example Usage

$ tcp.dmp                         # Read tcp.dmp and output BGP messages
$ -f "host" tcp.dmp     # Output with host filter
$ --mrt --output=bgp.mrt tcp.dmp  # Save to bgp.mrt with MRT format
$ --mrt tcp.dmp | bgpparser -m    # Pipe the MRT output to bgpparser (or bgpdump) 


Known Issues

Currently, dealing with TCP sequence wrap-around is best effort. One BGP message across the sequence boundary could be potentially skipped. This happens roughly every wrap-around (every 2^32 bytes).

Because TCP trace can be taken anywhere in the middle of BGP session, this program does not see the BGP option exchanges. Therefore, by default, this program assumes the 2-Byte AS numbers, and outputs MRT messages using the BGP4MP/BGP4MP_MESSAGE message type. This works fine given that the MRT parsers (bgpdump, bgpparser) often do their own check on the AS numbers. However, if the captured stream solely contains 4-Byte BGP sessions, the option --use-mrt-as4 can be used to force output BGP4MP/BGP4MP_MESSAGE_AS4 messages.