This is another series of my BGP study notes. On this post, I will be going through the deep details of BGP Packets analysis using wireshark.
Here is my topology for this laboratory:
Objective: To understand the BGP Packet types.
Let me show the BGP configurations of both R1 and R2 first before going into the details of the BGP packet types.
R1 Configurations:
|
R1#sh run | sec bgp
ipv6 multicast rpf use-bgp
router bgp 65000
bgp log-neighbor-changes
network 10.10.10.0 mask 255.255.255.0
neighbor 172.16.12.2 remote-as 65001
|
R2 Configurations:
|
R2#sh run | sec bgp
ipv6 multicast rpf use-bgp
router bgp 65001
bgp log-neighbor-changes
network 20.20.20.0 mask 255.255.255.0
neighbor 172.16.12.1 remote-as 65000
|
The moment that I have enabled the network on R1 and R2, the BGP neighbors were formed.
|
R1#
*Oct 6 14:22:59.123: %BGP-5-ADJCHANGE: neighbor 172.16.12.2 Up
R2(config-router)#
*Oct 6 14:22:58.675: %BGP-5-ADJCHANGE: neighbor 172.16.12.1 Up
|
Checking the status of the BGP neighbor using the command ” show ip bgp summary“:
|
R1#sh ip bgp summary
BGP router identifier 10.10.10.10, local AS number 65000
BGP table version is 7, main routing table version 7
2 network entries using 288 bytes of memory
2 path entries using 160 bytes of memory
2/2 BGP path/bestpath attribute entries using 272 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 744 total bytes of memory
BGP activity 4/2 prefixes, 4/2 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
172.16.12.2 4 65001 31 30 7 0 0 00:23:16 1
R1#
|
Let’s check the BGP database using the command “show ip bgp“.
|
R1#show ip bgp
BGP table version is 7, local router ID is 10.10.10.10
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i – IGP, e – EGP, ? – incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 10.10.10.0/24 0.0.0.0 0 32768 i
*> 20.20.20.0/24 172.16.12.2 0 0 65001 i
|
|
Learning Points:
As seen from the results of “show ip bgp“, it does tells the following information:
1. That the network 10.10.10.0/24 is a valid route (*) and best routes (>) in which the next hop 0.0.0.0 is telling us that the network is originated from R1.
2. The default Weight is 32768 as it was advertise from the local router R1.
3. The network 20.20.20.0/24 is a valid route (*) and best route (>) which is reachable via 172.16.12.2
and it was advertised from AS 65001.
4. The > means that it’s the best path towards the destination network and it will be installed on the
routing table.
|
Let’s check the routing table:
|
R1#show ip route bgp
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
+ – replicated route, % – next hop override
Gateway of last resort is not set
20.0.0.0/24 is subnetted, 1 subnets
B 20.20.20.0 [20/0] via 172.16.12.2, 00:31:33
|
That’s just an overview about how BGP peering is created, how to check whether the BGP neighbors were formed , checking the BGP database and how to check the valid routes and best routes and to understand that when a routes have *> it means that this will be installed on the routing table. Let me go through the deep packet level analysis of BGP.
So here’s the 4 BGP Packet Types…
First, let me shutdown BGP neighbors in R2, enabled it back and capture the traffic using wireshark.
|
R2(config-router)#neighbor 172.16.12.1 shutdown
*Oct 6 14:59:20.655: %BGP-5-NBR_RESET: Neighbor 172.16.12.1 reset (Admin. shutdown)
*Oct 6 14:59:20.671: %BGP-5-ADJCHANGE: neighbor 172.16.12.1 Down Admin. shutdown
*Oct 6 14:59:20.671: %BGP_SESSION-5-ADJCHANGE: neighbor 172.16.12.1 IPv4 Unicast topology base removed from session Admin. shutdown
Enabling back:
R2(config-router)#no neighbor 172.16.12.1 shutdown
*Oct 6 14:59:46.615: %BGP-5-ADJCHANGE: neighbor 172.16.12.1 Up
|
|
Below is the wireshark capture about BGP packet types. Let me to go through the results.
1. BGP using TCP 179 to established connections.
2. BGP uses the TCP three-way handshake to established the BGP sessions.
3. Once the Three-way handshake is completed, Open Message were exchange between R1 and R2. Open messages will contained parameters such as BGP Version, AS number, Hold Time, and BGP
Identifer and some other optional parameters.
4. Keepalive Messages were exchange between R1 and R2. The main purposed is to ensure that both routers are reachable. By default BGP keepalive is sent every 60 seconds and if the neighbor did not received a keepalive messaged within 180 seconds, it will flush the routes on its routing table.
5. The Update Message means that’s the BGP neighbors have started exchanging routing information. From the Wireshark results, we can see the information such as Widrawn routes, Total Path Attribute Length, Path Attributes, NLRI details…
|
Taking a closer look on the Open Message
|
Below is the information’s included in the Open Message:
1. Version ( in this case is BGP version 4)
2. AS Number ( AS number of R1 which is 65000)
3. Hold Time ( 180 seconds or 3 times the Keepalive message)
4. BGP Identifier ( As I’m looking at the open message on R1, this is the Loopback 1 address)
5. Optional Parameters ,e.g. Route refresh capability, Multiprotocol extensions,
|
Let’s take a closer look also on the Keepalive Message:
|
Learning Points:
1. So keepalive has a total length of 19 bytes 2. Keepalive is send every 60 seconds. |
So what about the Update Message
|
So what’s inside the capture message?
1. Marker, length, widrawn routes, total length attributes, path attributes. Network Layer Reachability
Informations (NRLI)..
2. NRLI is simply just the prefix that is advertise into BGP.
3. We can also notice that on the Path Attributes, we have seen the attribute flags..
4. Based on the attribute flag, Origin is a Transitive, AS Path is also Transitive, Next Hop Attribute is Transitive while MED or metrics attribute is Optional.
|
The last BGP packet which is Notification Message is sent out when the BGP neighbors were terminated.
Let me change the AS of R2 to generate a notification message.
|
R2(config-router)#router bgp 65002
R2(config-router)#neighbor 172.16.12.1 remote-as 65000
R2(config-router)#
|
|
Learning points:
1. As observed above, the Notification message Error Code shows as Bad Peer AS.
2. Other potential errors might include BGP identifier is incorrect, Hold Time is different from the BGP peers, or the BGP Version does not match. If we can notice this are the same parameters which were negotiated in the Open Message.
|
*********************************End of Lab****************************************
NETWORK LESSON 
Leave a comment