<div dir="ltr"><div>It would be great to capture the packet before it gets into the SmartEdge.</div><div>It seems that there is some memory/packet corruption problem:</div><div><br></div><div>the total length of update message is correct and it is 77 bytes. But the total path attribute length is incorrect - in the log it is 0x32(50B) and it should be 0x23(35B). </div><div><br></div><div>0x1+0xe+0x4+0x8+0x8=0x23</div><div><br></div><div>I tried to parse your packet quickly in the notepad:</div><div><br></div><div>BGP HEADER:</div><div>ffff ffff ffff ffff ffff ffff ffff ffff #MARKER<br>004d #LENGTH: 77B<br>02 #BGP UPDATE</div><div><br></div><div><br></div><div><span style="font:400 13.33px arial,sans-serif;text-align:left;color:rgb(34,34,34);text-transform:none;text-indent:0px;letter-spacing:normal;text-decoration:none;word-spacing:0px;display:inline;white-space:normal;font-size-adjust:none;font-stretch:normal;float:none;background-color:transparent">UPDATE MESSAGE: </span><br>00 00 #Unfeasible routes length<br></div><div>00 32 #Total path attributes length 50B - SHOULD BE 0x23 (35B) <<<<<</div><div><br>40 01 #Attribute type: <br> b01000000 - FLAGS: well known, transitive, complete, attr lengh is 1 octet<br> b00000001 - TYPE(1): ORIGIN<br>01 #Attribute length: 1B<br>00 #Origin type: IGP<br> <br>40 02 #Attribute type:<br> b01000000 - FLAGS: well known, transitive, complete, attr lengh is 1 octet<br> b00000010 - TYPE(2): AS PATH<br>0e #Attribute Length: 14B<br>02 #AS_PATH Type: AS_SEQ<br>03 #AS_PATH Segment length: 3 ASes<br>0000 232a AS9002<br>0000 0c97 AS3223<br>0003 0fcb AS200651</div><div><br></div><div>4003 Attribute Type:<br> b01000000 -FLAGS: well known, transitive, complete, attr lengh is 1 octet<br> b00000011 -TYPE(3): NEXT_HOP <br>04 Attribute Length: 4B<br>57f5f580 IP Address: 87.245.245.128</div><div><br></div><div>e007 Attribute Type:<br> b11100000 -FLAGS: optional, transitive, partial, attr lengh is 1 octet<br> b00000111 -TYPE(7): AGGREGATOR<br>08 Attribute Lengh: 8B<br>0003 0fcb 5d72 28a2 #Aggregated by AS200651 <br> IP:93.114.40.162</div><div><br></div><div>c008 Attribute Type:<br> b11000000 -FLAGS: optional, transitive, complete, attr lengh 1 oct<br> b00001000 -TYPE(8): COMMUNITY<br></div><div>08 Attribute length: 8B<br></div><div>232a 232a 232a fc91 Attrubute value: <br> 9002:9002 (RETN Peer's route) <br> 9002:64657 (RETN Netherlands)</div><div><br></div><div>NLRI:</div><div>17 b964 54 <a href="http://185.100.84.0/23">185.100.84.0/23</a></div><div><br></div><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 30, 2018 at 5:17 AM, Olivier Benghozi <span dir="ltr"><<a href="mailto:olivier.benghozi@wifirst.fr" target="_blank">olivier.benghozi@wifirst.fr</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><div style="word-wrap:break-word">By manually decoding I can see it's AS Path 9002 3223 200651 (200651 being 3.4043 for a SmartEdge), prefix <a href="http://185.100.84.0/23" target="_blank">185.100.84.0/23</a>, with an aggregator attribute that seems fine, and two communities.<div>I don't see what is wrong, though, but it would be necessary to check every field and notably the lengths and so on.<div><div class="gmail-h5"><br><div><div><br><blockquote type="cite"><div>Le 30 janv. 2018 à 13:57, Marcin Kuczera <<a href="mailto:marcin@leon.pl" target="_blank">marcin@leon.pl</a>> a écrit :</div><br class="gmail-m_890618356995567537Apple-interchange-newline"><div>
<div bgcolor="#FFFFFF">
<div class="gmail-m_890618356995567537moz-cite-prefix">On 2018-01-30 13:23, Michał Przywuski
wrote:<br>
</div>
<blockquote type="cite">
<p>I found something like this :</p><p>[BGP]Dareek#sh bgp malform update<br>
</p>
Jan 30 02:34:31 Malformed UPDATE msg (nbr 87.245.245.128, context
0x4008010a, 77 bytes, repeated 14 times, reason: Invalid msg) - <br>
ffff ffff ffff ffff ffff ffff ffff ffff 004d 0200 0000 3240 0101
0040 020e 0203 0000 232a 0000 0c97 0003 0fcb 4003 0457 f5f5 80e0
0708 0003 0fcb 5d72 28a2 c008 0823 <br>
2a23 2a23 2afc 9117 b964 54<br>
</blockquote>
<br>
So, take RFC and try to analyse this.<br>
Or maybe somehow try to import it into wireshark..<br><br></div></div></blockquote></div></div></div></div></div></div></blockquote></div>-- <br><div class="gmail_signature">Yury.</div>
</div></div>