Wireshark-users: [Wireshark-users] Multiple BGP messages in a frame, and BGP messages spanning mu

From: "john g" <john31415927@xxxxxxxxx>
Date: Sun, 21 Sep 2008 21:50:34 -0400
Hi all

I'm running into trouble with tshark in the case where there are multiple BGP messages included in the same frame.

If I just do a straight "tshark" with default output, it would show me something like:


  1   0.000000  x.x.x.x -> y.y.y.y    BGP UPDATE Message, UPDATE Message, UPDATE Message, UPDATE Message, UPDATE Message

Which shows the multiple UPDATE messages inside the frame.

But if I try to display the fields, then I get only the fields of the last message:

# tshark -r x.pcap -T fields -e frame.number -e bgp.type
Running as user "root" and group "root". This could be dangerous.
1       2

Not sure how I'd expect to see it display this, but it's only displaying the last message.


What's really a problem however, is that if there were multiple BGP messages in a frame, and the last was say a Keepalive, then a filter such as bgp.type==2 (this is for update) would fail to identify that packet, even though it contains multiple UPDATEs.


What I am really trying to do is to parse through a capture file and count how many bytes of BGP UPDATE messages there are. Using "-z io,stat,36000,bgp.type==2" does not work, because for many cases, BGP UPDATEs are large and span multiple frames. So then this filter only calculates stats on the frames where the last part of the message is contained, and then only if the last message in that frame is not something otehr than an update. E.g. if a BGP UPDATE spanned 3 frames, and in the last frame there was a Keepalive following the end of the UPDATE, then there would be no bytes of BGP message counted by -z io,stat for the final frame nor any of the other frames which the UPDATE spanned.

Anyone run into this, or have any advice to offer?


Thanks much