How to export BGP routing information (AS Path) in network flows

Posted · Add Comment

Tools like traceroute have been used for a long time to track the forward path of packets, i.e. the journey of our packets to a remote destination. Unfortunately with traceroute nothing can be said about the path of ingress packets, it not assuming that routing is symmetrical, fact that is often not correct. For this reason we have designed a solution that allows path information to be report in emitted flows. As the most popular exterior gateway protocol used on the internet is BGP, we have designed a tool that allows nProbe to receive BGP messages and use them to infer routing information. Using the nProbe BGP plugin it is possible to export the first ten Autonomous Systems (ASes) in both the AS-path to the client and to the server of each flow.

AS-paths, which are well-known mandatory BGP attributes, are determined by establishing a BGP session with a BGP-router. BGP sessions are established by an helper script bgp_probe_client.pl which encapsulates all of the functionality needed to establish and maintain a BGP peering session and exchange routing update information. Specifically, the script:

  • Establishes a BGP session with a BGP-router
  • Reads BGP updates to extract AS-paths
  • Sends AS-paths to nProbe

The script is opensource and can be downloaded from GitHub.

nProbe uses AS-paths received from the script to export additional elements SRC_AS_PATH_1, ..., SRC_AS_PATH_10 and DST_AS_PATH_1, ..., DST_AS_PATH_10, indicating up to the first 10 ASes in the AS-path to the client and to the server. Those elements can be specified in the nProbe template (option -T) as any other regular element.

So for example, one can export the first 8 ASes of the client and the server of flows monitored from interface eth1 as follows:

sudo ./nprobe --bgp-port 9999 --zmq "tcp://*:5556" -i eth1 -n none -T "@NTOPNG@ %SRC_TOS %DST_TOS %INPUT_SNMP %OUTPUT_SNMP %SRC_AS_PATH_1 %SRC_AS_PATH_2 %SRC_AS_PATH_3 %SRC_AS_PATH_4 %SRC_AS_PATH_5 %SRC_AS_PH_6 %SRC_AS_PATH_7 %SRC_AS_PATH_8 %DST_AS_PATH_1 %DST_AS_PATH_2 %DST_AS_PATH_3 %DST_AS_PATH_4 %DST_AS_PATH_5 %DST_AS_PATH_6 %DST_AS_PATH_7 %DST_AS_PATH_8"

Apart from the well-known options, the extra --bgp-port 9999 is required for the communications between nProbe and the bgp_probe_client.pl.

For an in-depth description of the plugin, refer to the official nProbe documentation. Keep in mind that the BGP plugin also works when nProbe is collector mode.