Packet Captures
4-byte_AS_numbers_Full_Support.cap 1.2 KB
Submitted Apr 30, 2010 by pierky
Router at 172.16.1.2 (hostname "D", AS 40.1 / 2621441) clears a previous established peering with 172.16.1.1 (hostname "A", AS 10.1 / 655361); They both support 32-bit ASN.
While opening the new session, they negotiate the "Four-octet AS Number Capability" (pkts n. 2 and 3).
Then, both "A" and "D" send some UPDATEs containing 4-octect encoded AS_PATH attributes (pkts n. 6 and 9). Please note: WireShark may show wrong paths unless you force 4-byte encoding in the Preferences / Protocols / BGP options.
Packets: 9 | Duration: 56s | Downloads: 8906 |
4-byte_AS_numbers_Mixed_Scenario.cap 414 bytes
Submitted Apr 30, 2010 by pierky
Router "B" (AS 2) at 172.16.3.2 does not support 4-byte AS numbers, while router "A" (AS 10.1 / 655361) at 172.16.3.1 does.
Router "A" receives an UPDATE for the 40.0.0.0/8 subnet from an external router ("D") in the AS 40.1 / 2621441 (not shown), and it forwards it to "B" (pkt n. 2): AS_PATH contains "23456 23456" (the first stands for AS 10.1, the second for the originating AS 40.1), but NEW_AS_PATH contains the real 4-byte AS numbers.
At pkt n. 3 "B" receives the same subnet directly from "D" and sends it to "A", including the original NEW_AS_PATH attribute previously appended by "D".
Packets: 4 | Duration: 60s | Downloads: 9551 |
6in4-linklocal-hlimit-less255.pcapng.cap 444 bytes
Submitted Dec 30, 2014 by nacnud
Illegal packet: IPv4 (protocol 41) + IPv6 (hop limit = 100) + ICMPv6 Router Advertisement. The illegal part is that hop limit of IPv6 neighbor discovery protocol (NDP) packets cannot be less than 255.
Packets: 1 | Duration: n/a | Downloads: 6181 |
802.1Q_tunneling.cap 5.0 KB
Submitted Jun 30, 2010
Packets: 26 | Duration: 35s | Downloads: 21144 |
802_1ad.pcapng.cap 3.3 KB
Submitted Apr 30, 2015 by puschentazen
It's an Packet Capture of a QinQ Packet with an Outer Vlan Ethertype 0x88A4. It is used in Service Provider Bridges
Packets: 2 | Duration: n/a | Downloads: 7501 |
Auto-RP.cap 726 bytes
Submitted Sep 14, 2009
Routers 2 and 3 have been configured as candidate RPs, and multicast RP announcements to 239.0.1.39. Router 1 is the RP. R1 sees the candidate RP announcements from R2 and R3, and designates R3 the RP because it has a higher IP address (3.3.3.3). R1 multicasts the RP mapping to 224.0.1.40. The capture is from the R1-R2 link.
Packets: 9 | Duration: 239s | Downloads: 6365 |
BGP_AS_set.cap 1.6 KB
Submitted Sep 14, 2009
Packet #15 includes a BGP update containing both an AS sequence and an AS set in its AS path attribute.
Packets: 18 | Duration: 1s | Downloads: 7991 |
BGP_MD5.cap 1.7 KB
Submitted Nov 26, 2009
An EBGP with TCP MD5 authentication enabled
Packets: 16 | Duration: 61s | Downloads: 10882 |
BGP_MP_NLRI.cap 2.9 KB
Submitted Jun 28, 2010
IPv6 routes are carried as a separate address family inside MP_REACH_NLRI attributes.
Packets: 24 | Duration: 60s | Downloads: 16615 |
BGP_hard_reset.cap 3.2 KB
Submitted Sep 14, 2009
A hard reset (clear ip bgp) is performed on R1 for its adjacency with R2. Packet #7 shows R1 sending a packet with the TCP FIN flag set, indicating the connection is to be torn down. The TCP connection is then reestablished and UPDATEs are retransmitted.
Packets: 32 | Duration: 208s | Downloads: 6656 |
BGP_notification.cap 764 bytes
Submitted Sep 14, 2009
R1 has been misconfigured to expect R2 to reside in AS 65100. R2 attempts to peer with R1 advertising itself correctly in AS 65200. R1 issues a NOTIFICATION in packet #5 citing a "bad peer AS" error and terminates the TCP connection.
Packets: 9 | Duration: n/a | Downloads: 7022 |
BGP_redist.cap 378 bytes
Submitted Oct 28, 2009 by colinbsd
The OSPF metric is preserved and propagated within the MPLS cloud by the MP-BGP MED attribute.
Packets: 2 | Duration: n/a | Downloads: 10068 |
BGP_soft_reset.cap 2.0 KB
Submitted Sep 14, 2009
R1 performs a soft bidirectional reset (clear ip bgp soft) on its adjacency with R2. The ROUTE-REFRESH message is visible in packet #7. Note that the TCP connection remains uninterrupted, and neither router views the reset as disruptive.
Packets: 17 | Duration: 180s | Downloads: 6761 |
DHCP.cap 5.8 KB
Submitted Sep 29, 2009 by pierky
R0 is the client and R1 is the DHCP server. Lease time is 1 minute.
Packets: 12 | Duration: 153s | Downloads: 11468 |
DHCP_Inter_VLAN.cap 2.0 KB
Submitted Sep 30, 2009 by pierky
R1 is a router-on-a-stick. It receives a DHCP Discover on the trunk interface, it sets the "Relay agent IP address" to the sub-interface's IP address it received the packet on and, finally, it forwards it to the DHCP server. Capture perspective is R1-DHCP server link.
Packets: 4 | Duration: n/a | Downloads: 11392 |
DHCP_MessageType 10,11,12 and 13.cap 1.9 KB
Submitted Jan 31, 2011 by Jawahar
Access Concentrator/router queries lease for particular IP addresses using message type as "DHCP LEASE QUERY" and gets response as DHCP LEASE ACTIVE,LEASE UNASSIGNED and LEASE UNKNOWN.
Access Concenttrator/Router IP=10.10.39.14
DHCP server IP=10.10.35.33
Packets: 6 | Duration: 13s | Downloads: 13490 |
DNS Question & Answer.pcapng.cap 1.6 KB
Submitted Apr 16, 2014 by manjesh23
DNS Question and Answer
Packets: 2 | Duration: n/a | Downloads: 9730 |
EBGP_adjacency.cap 2.7 KB
Submitted Sep 14, 2009
The external BGP adjacency between routers 1 and 2 is brought online and routes are exchanged. Keepalives are then exchanged every 60 seconds. Note that the IP TTL (normally 1) has been increased to 2 with ebgp-multihop to facilitate communication between the routers' loopback interfaces.
Packets: 24 | Duration: 182s | Downloads: 8162 |
EIGRP_adjacency.cap 5.1 KB
Submitted Sep 14, 2009
Formation of an EIGRP adjacency between routers R1 and R2. Capture point is R1's 10.0.0.1 interface.
Packets: 53 | Duration: 104s | Downloads: 10287 |
EIGRP_goodbye.cap 1.3 KB
Submitted Sep 14, 2009
R2 designates its interface facing R1 as passive. The final hello message from R2 (packet #9) has all its K values set to 255, designating the message as a "goodbye." Capture perspective is from R1's 10.0.0.1 interface.
Packets: 15 | Duration: 43s | Downloads: 7669 |
EIGRP_subnet_down.cap 1.8 KB
Submitted Sep 14, 2009
R4's interface to 192.168.4.0/24 goes down and the route is advertised as unreachable. Queries are issued by all routers to find a new path to the subnet but none exists, and the route is removed from the topology. Capture perspective is from R1's 10.0.0.1 interface.
Packets: 21 | Duration: 23s | Downloads: 6065 |
EIGRP_subnet_up.cap 1.3 KB
Submitted Sep 14, 2009
R4's 192.168.4.0/24 subnet is brought online. R1 receives updates from both R2 and R3 (only R2's update is shown in the capture). The poison-reverse in packet #9 informs R2 not to use R1 as a path to 192.168.4.0/24. The capture perspective is from R1's 10.0.0.1 interface.
Packets: 15 | Duration: 18s | Downloads: 8055 |
EoMPLS.cap 7.0 KB
Submitted Oct 12, 2009 by pierky
Routers at 1.1.2.1 and 1.1.2.2 are PEs in a MPLS cloud. LDP starts at packet 8 and they build up a pseudo-wire VC (last FEC in packets 11 and 13). At packet 15 we already have STP running between CE1 and CE2 (two routers with ESW), encapsulated in 2 MPLS headers. All the ethernet stuff follows: CDP, ARP, ICMP between two hosts on the same subnet.
Packets: 56 | Duration: 32s | Downloads: 11498 |
GLBP_election.cap 8.4 KB
Submitted Sep 14, 2009
Routers 1, 2, and 3 participate in a GLBP election. R1 becomes the AVG due to having the highest priority (200), and R3 becomes the standby GLBP. All three routers become AVFs.
Packets: 80 | Duration: 68s | Downloads: 6057 |
GRE.cap 1.5 KB
Submitted Sep 14, 2009
ICMP is encapsulated into a Generic Routing Encapsulation (GRE) tunnel.
Packets: 10 | Duration: n/a | Downloads: 18936 |