Skip to main content
Cisco Meraki Documentation

BGP - Messages Wireshark

Published by Jagdip Singh and Ranvir Dhillon

During this guide, packet captures were taken between a router and an MX device that have direct connections on their WAN interfaces and that have eBGP neighbor adjacency.


The aim of this guide is to provide an overview of eBGP messages that occur between 2 neighbors during adjacency and how to view them in Wireshark. This should make it more comfortable when troubleshooting eBGP peering issues, and to understand what is expected in Wireshark. For configuration on BGP with Cisco Meraki it is recommended to refer to our documentation on BGP.

BGP uses 4 main messages that you should be aware of in packet captures:

Open Message

  • BGP version
  • BGP AS
  • BGP Identifier
  • Optional parameters

Update Message

  • Contains NLRIs (prefixes) advertised over BGP

Keepalive Message

  • Used to maintain the BGP neighbor adjacency. By default sent every 60 seconds

Notification Message

  • Sent when an error is detected on the BGP session and causes a BGP session to close. 

OPEN Message and KEEPALIVE Message

  • Refer to the packet capture once we configure R1 and R2 with eBGP configurations. 


  • If we click into the OPEN Message we can see details of the BGP Adjacency.

bgp adjacency.png

  • Version: Includes the BGP version the router is using. The current version of BGP in this example is version 4. Two BGP nodes will try to negotiate a compatible version, MUST MATCH.

  • My AS: Includes the AS number of the BGP router, the routers will have to agree on the AS number. This also defines if they will be running iBGP or eBGP. If they have the same number it is iBGP, however if they have a different number it is eBGP.

  • Hold Time: By default the hold time is set to 180 seconds and keepalive message is sent every 60 seconds. BGP routers will use the lowest configured hold down timer. If a BGP peer does not receive any keepalive or update messages from the other side for the duration of the hold time then it will end the BGP session.

  • BGP Identifier: This is the local BGP router ID that is elected. This does not have anything to do IP addressing between BGP peers. If BGP does not have a router ID, it cannot establish any peering sessions with BGP peers. The process of assigning the BGP Identifier is as follows:

    • Use the manually configured BGP router-id.

    • Use the router-ID that was configured manually.

    • Use the highest IP address on a loopback interface.

    • Use the highest IP address on a physical interface.

  • Optional Parameters: Used for functions such as MP-BGP, session authentication and some other extended features in BGP.

UPDATE Message

BGP sends UPDATE messages to advertise routing information such as path attributes and prefixes or withdraws previously advertised routes, or can do both. The Update message includes the Network Layer Reachability Information (NLRI) that includes the prefix and associated BGP peers when advertising prefixes. Withdrawn NLRIs include only the prefix. An UPDATE message can act as a Keepalive to reduce unnecessary traffic.


  • From MX2 if we advertise a prefix for example it will show in the UPDATE Message along with Path Attributes (Used for best path decision making from neighbor)

  • In a packet capture taken during advertising from MX2 you can see it contains Path Attributes and notice the NLRI being advertised to R1.

path attributes.png

Notification - BAD AS

  • In the below example, R1 eBGP Configuration is to expect the neighbor address and remote-as to be 2. The flow of the messages are as follows:

    • STEP 1: R1 sends OPEN Message

    • STEP 2: R2 sends OPEN message, however with incorrect as 200

    • STEP 3: R1 notices the bad AS number and responds with a NOTIFICATION Messageclipboard_ead9db474ddeddb8912a6094ccc889221.png

  • Below you can see what this should look like in Wireshark. You should see in the NOTIFICATION message under Minor error code (Open message): Bad Peer AS (2)


  • Was this article helpful?