BGP Scanner is a performance oriented utility to parse MRT RIB snapshots and updates, with filtering capability.
The bgpscanner utility reads one or more MRT RIB snapshot or updates, applies a set of filtering rules to every packet and dumps each one of them respecting the specified criteria in a human readable format.
By default, bgpscanner reads the data from standard input and dumps to the standard output. However, the most common use case is to provide BGP Scanner an MRT file to parse:
BGP Scanner supports either uncompressed or compressed MRT files containing BGP data as specified in RFC6936 and RFC8050. Currently, BGP Scanner supports MRT files compressed with
xz techniques. MRT files can be produced with various softwares such as ICE, Quagga, Bird, FRR, OpenBGPD, ExaBGP.
Route collector projects such as Isolario, RouteViews and RIPE NCC RIS provide publicly accessible archives of BGP data they collect from hundreds of ASes all over the world.
BGP Scanner supports several filtering options, that can be combined together. The following rules applies:
- multiple values for the same option are AND-ed
- multiple options of the same type are OR-ed
- multiple options of different type are AND-ed
The available options can be divided into categories:
-e: exact prefix
-s: subnets (included or equal)
-u: supernets (including or equal)
-r: both supernets and subnets
For example to print all the BGP packets containing the supernets of 188.8.131.52 type:
bgpscanner -u 184.108.40.206/32 <mrt_file>
As explained above, it is possible to specify multiple options of the same type to get an OR-like behavior. For example to print al BGP packets containing either the networks 220.127.116.11/24 or 18.104.22.168/24:
bgpscanner -e 22.214.171.124/24 -e 126.96.36.199/24 <mrt_file>
It is not possible to mix-up different Prefix options, for example -e and -s nor to specify multiple values for the same Prefix option, for example -e "188.8.131.52/24 184.108.40.206/24"
The capital version of the above options allows to supply multiple values in a file, containing one or more values per line. For example suppose you have a file named
prefixes.txt containing those prefixes:
220.127.116.11/24 18.104.22.168/24 22.214.171.124/8
Then you can print all the packets containing at least one of the prefixes in the list with the following command:
bgpscanner -E prefixes.txt <mrt_file>
BGP Attributes options
-p: AS_PATH macthes the supplied regular expression.
-l: AS_PATH contains loops
-m: COMMUNITY contains the supplied community string
-t: the attribute code provided is present into the packet
For example to print BGP packets whose AS_PATH attribute ends with 137 2598 and contains a LARGE_COMMUNITY attribute
bgpscanner -p "137 2598$" -t LARGE_COMMUNITY <mrt_file>
The capital version of the above options negates the filtering. For example
-L prints all the packets whose AS_PATH does NOT contain a loop.
Data source options
-a: BGP data announced by the supplied feeder AS. This can be different from the first AS of the AS_PATH for various reasons. For instance, if the BGP message carries only withdrawn routes then it does not carry any AS_PATH attribute.
-i: BGP data announced by the supplied feeder IP
For example to print all the BGP packets coming from the feeder with IP address 126.96.36.199:
bgpscanner -i 188.8.131.52 <mrt_file>
The capital version of the above options negates the filtering.
-f: prints the feeder IP addresses (valid only for RIB snapshots)
-c: prints the BGP packet as an hexadecimal C array with 80 columns line wrapping
-d: prints the BGP filtering engine bytecode for debugging purposes
-o: output is redirected to the supplied file
This section provides more practical examples of BGP Scanner filtering capabilities.
- BGP packets announced by feeder AS199036:
bgpscanner -a "199036"`<mrt_file>
- First AS of AS_PATH is either AS199036 or AS6939:
bgpscanner -p "^199036" -p "^6939" <mrt_file>
- Last AS of AS_PATH AS2598 (i.e. all packets containing networks originated by AS2598):
bgpscanner -p "2598$" <mrt_file>
- Packets containing subnets of 2001:67c:1b08::/48 not originated by AS2598 (simple mis-origin/hijack detection)
bgpscanner -s 2001:67c:1b08::/48 -P "2598$" <mrt_file>
- BGP packets containing IXP peering LAN prefixes:
bgpscanner -S <IXP_LANs_file> <mrt_file>
- AS_PATH crosses link AS174 AS3356 AS2914 (could be useful for example to obtain leak detection):
bgpscanner -p "174 3356 2914" <mrt_file>
- Subnets of 2001:67c::/32 originated by AS2598:
bgpscanner -s "2001:67c::/32" -p "2598$" <mrt_file>
- AS_PATH contains a loop:
bgpscanner -l <mrt_file>