Working with Raw BGP Data

The purpose of this article is to facilitate analysis of raw BGP data collected by various public monitors. From time to time, it can be helpful to analyze raw aggregated BGP data for troubleshooting or training purposes.

You can also view raw BGP data in the BGP Updates table. For more information, see Using the BGP Updates Table.

Working with Quagga BGP RIB Files

First, it's important to understand how our BGP data collection works, and where the data comes from.

• Public monitors shown in ThousandEyes consume data aggregated from RIPE RIS. We download reachability information collected by the collectors, process the data, and display it for use.

• ThousandEyes monitors are configured and supported by ThousandEyes.

• Private monitors peer directly with a ThousandEyes-maintained route collector and provide updates in real time.

The RouteViews project makes full routing information base (RIB) dumps of data available every 2 hours (UTC time), and provides updates every 15 minutes. These files are compressed in .bz2 format. Data for each monitor we display can be found on the RouteViews site, in the location shown by the table at the bottom of this page.

To review raw BGP data, you'll need an application to parse the data. For this, we use bgpdump, which provides human-readable data from the raw BGP information.

Installing and Using BGPdump

Find compiled versions of bgpdump for OSX (here) or Ubuntu Linux (here).

Note: This is simply a compiled version of RIPE bgpdump, The project is maintained by RIPE NCC and the Internet Research community. The project source is available at https://github.com/RIPE-NCC/bgpdump.

To install and run bgpdump, follow these instructions:

• Download the file, and extract the contents

• Move the bgpdump file to /usr/local/bin/ (which puts it in the path for your user)

• chmod +x it, to make it executable

• For OSX Catalina, disable developer verification using xattr -d com.apple.quarantine /usr/local/bin/bgpdump

• Test it, by running bgpdump. The following information should be displayed

Next, download a RIB file from the appropriate collector. Use the table at the bottom of this page to determine which collector to use. Data is stored in a year.month structure, with RIBS containing the full downloads made available every two hours (UTC), and UPDATES containing the updates captured by the collectors (every 15 minutes). Beneath the RIBS|UPDATES folders, you will find a folder for each day of the month, and files saved using the convention [rib|updates].yyyyMMdd.hhmm.bz2. File sizes vary based on the number of monitors advertising routes to each specific collector, and by number of routes collected by each monitor.

Running bgpdump without -m will output a lot of data and includes column explanations to help better understand the data. Given the form of the output and content of one of the files, it makes running prefix-based searches on the data difficult - thus without the -m or -M option, bgpdump tends to be less useful than you'd like. Below, see an example of a single entry from a RIB file.

Running with the -m option will output as shown below:

bgpdump -m outputs data in the following column order:

• BGP Protocol

• timestamp (in epoch format)

• W/A/B (withdrawal/announcement/routing table)

• Peer IP (address of the monitor)

• Peer ASN (ASN of the monitor)

• Prefix

• ASPath

• Origin Protocol (typically always IGP)

• Next Hop

• LocalPref

• MED

• Community strings

• Atomic Aggregator

• Aggregator

A couple of use cases for using bgpdump to get necessary information:

• Determine all routes to a specific prefix ( bgpdump -m <file> | grep <prefix>)

• Determine all routes that use a specific AS Path (bgpdump -m <file> | grep "ASPath" )

Note: ASPaths are shown in monitor>transit>origin format. When using AS Path as the filter, the results show all the updates having the filter as a part of the AS Path. In the example below, the Origin AS is 56203, but contains AS 577 in the AS Path string. To target a specific origin, grep for the origin with a trailing pipe character (ie, "577|")

Checking BGP Changes over a Period of Time

You can also run bgpdump on a group of files, using the bzcat -- just concatenate them using bzcat, and then pipe the output to bgpdump. This can be useful to find any updates related to a specific monitor, path or prefix over a period of time - but is predicated on having all the data available to use. Below shows two methods:

When you want more specific information, you can actually telnet to the quagga collectors, and use a limited set of commands to interact with quagga to show you data. The most typical usage is the sh ip bgp <prefix>, which will show you the last update to the routing table for each monitor using that collector for a specific prefix. Visit http://archive.routeviews.org/, and click the login link for the appropriate collector (check the table below to find the appropriate collector for the monitor you’re interested in reviewing).

Working with Quagga Collectors

Using BGPlay to Work with RIPE RIS Data

You can also use bgplay from the RIPEstat site to look at historical data. This can be useful when tracking changes that occur over a period of time.

When BGPlay starts, a query window opens us where you can enter the prefix to monitor and the time interval in UTC. Press OK to open up an animation window as shown below. Below the figure, a numbered list corresponding to the callouts on the figure, explains each field in the image.

Let us break the picture into different parts for better understanding

1. Indicates that the update shown is the 3rd update of the 399 updates within the specified time period.

2. Signifies the router collector which received the BGP update.

3. Path change indicates that the current BGP update contains new paths. Other possible BGP Update messages that can be seen are Route Announcement, Route Withdrawal and Route Re-Announcement.

4. IP address of the peer from which the current BGP Update was collected.

5. The date and time at which the current BGP Update was collected.

6. Displays the change in the AS Path as contained by the new BGP Update message.

7. Indicates the last clicked AS number and name.

8. Vertical time axis.

9. Each purple horizontal spike indicates a burst of BGP updates.

10. Any purple horizontal spike touching this vertical line indicates 1 BGP update.

11. Any purple horizontal spike touching this vertical line indicates 23 BGP updates.

12. The starting date and time specified in the query.

13. To scroll through the different BGP messages within the time period.

14. To rearrange the AS graph to its starting layout.

15. To start a new query.

List of Monitors by Collector