Created
September 2, 2020 20:38
-
-
Save jgensler8/45b9542f8da8d9db59ea5f2ba319b4a1 to your computer and use it in GitHub Desktop.
tcpdump: filter non-keepalive BGP packets
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Background: tcpdump of bgp has lots of noise due to keepalive packets | |
| # filter the packets | |
| # port 170 -> default BGP port | |
| # (tcp[tcpflags] & tcp-push != 0) -> output can be difficult with ACKs so only keep PSH | |
| # ip[70] != 0x04 -> a bit of trial and error and examining with -X flag, see https://en.wikipedia.org/wiki/Border_Gateway_Protocol#Message_header_format | |
| sudo tcpdump port 170 and (tcp[tcpflags] & tcp-push != 0) and ip[70] != 0x04 | |
| # then, add timeout or packet counter | |
| sudo timeout -k 1s 10m tcpdump ... -w /tmp/yourfile.pcap | |
| # then, analyze the file | |
| tcpdump -r /tmp/yourfile.pcap |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment