Parsing issues with bgpdump (unknown attribute 0)
Hello everyone, I’ve been using BGPDump to collect BGP data across multiple BGP server. Unfortunately, I’ve been having some issues parsing some MRT files. So I have a file (provided in attachment) that has been created by a Quagga instance (quagga-0.99.22.1-2013051601). All the beginning of the file seems to be parsed correctly, but at some point, I get a message with unknown attributes. As you can see on the screenshot below, the strange part about it is that the attribute type is supposedly 0 —which is not a correct attribute type if I’m referring to the RFC. Different versions of bgpdump have been tested, without any changes. And the actual issues come up right after: every announcement after this message seems to have something wrong (wrong prefix length/wrong AS path values…): Does anyone already encountered such troubles? Could it be a bug from BGPDump somewhere? Let me know if you have any idea or want some more detail about the issue. Alexis Fasquel Software Engineer @ PCH <http://www.pch.net/> +1-415-694-0585
Hi Alexis, I would suspect you have a corrupted dump file. If I run 'bgpdump -v' over your provided dump file, I get the same output as you, but also on stderr: [warn] ERROR attribute is truncated: expected=98 remaining=17 [warn] ERROR attribute is truncated: expected=129 remaining=16 [warn] ERROR attribute is truncated: expected=65535 remaining=29 [warn] ERROR attribute is truncated: expected=65535 remaining=18 [warn] ERROR attribute is truncated: expected=98 remaining=25 [warn] ERROR attribute is truncated: expected=65535 remaining=11 [warn] ERROR attribute is truncated: expected=65535 remaining=1 [warn] ERROR attribute is truncated: expected=65535 remaining=1 [warn] process_zebra_bgp_message: unsupported AFI 4096 [warn] process_zebra_bgp_message: unsupported AFI 4096 [warn] process_zebra_bgp_message: unsupported AFI 4096 [warn] process_zebra_bgp_message: unsupported AFI 4096 [warn] process_zebra_bgp_message: unsupported AFI 4096 [warn] process_zebra_bgp_message: unsupported AFI 4096 [error] bgpdump_read_next: incomplete dump record (0 bytes read, expecting -1) So a length field somewhere is telling the parser to read an incorrect amount of data from the stream, which then throws off the field alignment. You'd probably need to stare at your MRT file with a hex editor for a while if you want to find the problem :) Of course, how bgpdump handles it (or doesn't!) might be better :) it could probably do a better job of trying to re-align on later messages. Hope this helps, Cheers, Colin On 09/10/15 19:35, Alexis Fasquel wrote:
Hello everyone,
I’ve been using BGPDump to collect BGP data across multiple BGP server. Unfortunately, I’ve been having some issues parsing some MRT files.
So I have a file (provided in attachment) that has been created by a Quagga instance (quagga-0.99.22.1-2013051601). All the beginning of the file seems to be parsed correctly, but at some point, I get a message with unknown attributes. As you can see on the screenshot below, the strange part about it is that the attribute type is supposedly 0 —which is not a correct attribute type if I’m referring to the RFC. Different versions of bgpdump have been tested, without any changes.
And the actual issues come up right after: every announcement after this message seems to have something wrong (wrong prefix length/wrong AS path values…):
Does anyone already encountered such troubles? Could it be a bug from BGPDump somewhere?
Let me know if you have any idea or want some more detail about the issue.
-- Colin Petrie Systems Engineer RIPE NCC
Hi Colin, Thank you for your answer, I was also suspecting file corruption, although I have to admit that I was hoping that it would not be it :) I guess my next move is to understand why some of my files get corrupted. Thank you agin for the help! Cheers, Alexis
On 10 Oct 2015, at 04:22, Colin Petrie <cpetrie@ripe.net> wrote:
Hi Alexis,
I would suspect you have a corrupted dump file.
If I run 'bgpdump -v' over your provided dump file, I get the same output as you, but also on stderr:
[warn] ERROR attribute is truncated: expected=98 remaining=17 [warn] ERROR attribute is truncated: expected=129 remaining=16 [warn] ERROR attribute is truncated: expected=65535 remaining=29 [warn] ERROR attribute is truncated: expected=65535 remaining=18 [warn] ERROR attribute is truncated: expected=98 remaining=25 [warn] ERROR attribute is truncated: expected=65535 remaining=11 [warn] ERROR attribute is truncated: expected=65535 remaining=1 [warn] ERROR attribute is truncated: expected=65535 remaining=1 [warn] process_zebra_bgp_message: unsupported AFI 4096 [warn] process_zebra_bgp_message: unsupported AFI 4096 [warn] process_zebra_bgp_message: unsupported AFI 4096 [warn] process_zebra_bgp_message: unsupported AFI 4096 [warn] process_zebra_bgp_message: unsupported AFI 4096 [warn] process_zebra_bgp_message: unsupported AFI 4096 [error] bgpdump_read_next: incomplete dump record (0 bytes read, expecting -1)
So a length field somewhere is telling the parser to read an incorrect amount of data from the stream, which then throws off the field alignment.
You'd probably need to stare at your MRT file with a hex editor for a while if you want to find the problem :)
Of course, how bgpdump handles it (or doesn't!) might be better :) it could probably do a better job of trying to re-align on later messages.
Hope this helps,
Cheers, Colin
On 09/10/15 19:35, Alexis Fasquel wrote:
Hello everyone,
I’ve been using BGPDump to collect BGP data across multiple BGP server. Unfortunately, I’ve been having some issues parsing some MRT files.
So I have a file (provided in attachment) that has been created by a Quagga instance (quagga-0.99.22.1-2013051601). All the beginning of the file seems to be parsed correctly, but at some point, I get a message with unknown attributes. As you can see on the screenshot below, the strange part about it is that the attribute type is supposedly 0 —which is not a correct attribute type if I’m referring to the RFC. Different versions of bgpdump have been tested, without any changes.
And the actual issues come up right after: every announcement after this message seems to have something wrong (wrong prefix length/wrong AS path values…):
Does anyone already encountered such troubles? Could it be a bug from BGPDump somewhere?
Let me know if you have any idea or want some more detail about the issue.
-- Colin Petrie Systems Engineer RIPE NCC
participants (2)
-
Alexis Fasquel -
Colin Petrie