Wireshark - output

Ratheesh mv · ‎02-18-2021

My CE router is sending plenty of subnets to PE. I have captured .pcap file of BGP update and I would like to see one of specific NLRI information form the pcap file. When I have opened the pcap file there are plenty of NLRI info .How can I filter for specific subnet .

Example :- From the plenty of subnets I would like to see only 192.168.10.0/24 and their attributes .Is it possible if yes how ?

Thanks in advance

Giuseppe Larosa · ‎02-18-2021

Hello @Ratheesh mv ,

>> From the plenty of subnets I would like to see only 192.168.10.0/24 and their attributes .Is it possible if yes how ?

For efficiency reasons BGP updates are structured in such a way that all NLRIs sharing the same attributes are sent after the set of common attributes.

For this reason if you manage the PE node you can get info about a specific prefix on it

show ip bgp vrf <VRF-name> 192.168.10.0

From the raw packet capture this is not so easy for the reasons explained above. The BGP update can become too big to fit in a single packet and so it is carried in multiple IP packets and only the first packet contains the list of BGP attributes shared by many prefixes.

Hope to help

Giuseppe

MHM Cisco World · ‎02-18-2021

If this is LAB then
remove the prefix
do wireshark
you will see withdraw,
you can check this withdraw see if contain the attribute you need to see.