RIP Packet Format – Detailed Analysis

packet-analysisriprouting

I am trying to investigate a RIP packet. It clearly states that the packet is RIP v1. But its format does not match with the either RIP v1 or v2. Any ideas what this packet actually is?

Best Answer

Given how simple RIP v1 is, this is pretty easy to do by eye from Figure 1 in the RFC 1058:

5 longs from 45c0 is the IP header
4 shorts from 0208 (the italic portion) is the UDP header
The rest from 0201 (the bold portion) is the RIP body

01:00:00.000000 IP 128.238.62.2.route > 255.255.255.255.route: RIPv1, Response, length: 44
    0x0000:  45c0 0048 0000 0000 0211 f8f5 80ee 3e02  E..H..........>.
    0x0010:  ffff ffff 0208 0208 0034 b9a0 0201 0000  .........4......
    0x0020:  0002 0000 80ee 3f00 0000 0000 0000 0000  ......?.........
    0x0030:  0000 0001 0002 0000 80ee 4000 0000 0000  ..........@.....
    0x0040:  0000 0000 0000 0002                      ........

  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | command (1)   | version (1)   |      must be zero (2)         |
  +---------------+---------------+-------------------------------+
  | address family identifier (2) |      must be zero (2)         |
  +-------------------------------+-------------------------------+
  |                         IP address (4)                        |
  +---------------------------------------------------------------+
  |                        must be zero (4)                       |
  +---------------------------------------------------------------+
  |                        must be zero (4)                       |
  +---------------------------------------------------------------+
  |                          metric (4)                           |
  +---------------------------------------------------------------+

  The portion of the datagram from address family identifier through
  metric may appear up to 25 times.

We have:

command=02 version=01 mbz=0000
family=0002 mbz=0000 addr=80ee3f00 mbz=00000000 mbz=00000000 metric=00000001
family=0002 mbz=0000 adda=80ee4000 mbz=00000000 mbz=00000000 metric=00000002

But if you have more complex packets ...

One way to solve this kind of problem is to make a PCAP file from the data (with a tool or just a programming language such as python), and then use standard tools to examine it.

Your packet analysed with tshark is:

Internet Protocol Version 4, Src: 128.238.62.2, Dst: 255.255.255.255
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
        1100 00.. = Differentiated Services Codepoint: Class Selector 6 (48)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 72
    Identification: 0x0000 (0)
    Flags: 0x0000
        0... .... .... .... = Reserved bit: Not set
        .0.. .... .... .... = Don't fragment: Not set
        ..0. .... .... .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 2
        [Expert Info (Note/Sequence): "Time To Live" only 2]
            ["Time To Live" only 2]
            [Severity level: Note]
            [Group: Sequence]
    Protocol: UDP (17)
    Header checksum: 0xf8f5 [validation disabled]
    [Header checksum status: Unverified]
    Source: 128.238.62.2
    Destination: 255.255.255.255
User Datagram Protocol, Src Port: 520, Dst Port: 520
    Source Port: 520
    Destination Port: 520
    Length: 52
    Checksum: 0xb9a0 [unverified]
    [Checksum Status: Unverified]
    [Stream index: 0]
Routing Information Protocol
    Command: Response (2)
    Version: RIPv1 (1)
    IP Address: 128.238.63.0, Metric: 1
        Address Family: IP (2)
        IP Address: 128.238.63.0
        Metric: 1
    IP Address: 128.238.64.0, Metric: 2
        Address Family: IP (2)
        IP Address: 128.238.64.0
        Metric: 2

Related Solutions

Cisco – RIP routing is broken between two routers

they are assigned by default to 172.16.0.0 in both cases, and it does not work

I modified your ascii art a litte to reduce scrolling... It sounds like you're saying that you can't reach reach N1 from N2...

Broken RIPv1 topology
=====================

N1 ---- (172.16.1.1/24) R1 (172.16.3.1/30) ----- (172.16.3.2/30) R2 ----- (172.16.2.1/24) N2

Classful routing protocol overview

RIPv1 is a classful routing protocol... as such, it doesn't associate netmasks with routes when they are advertised. Classful routing protocols do a couple non-intuitive things...

They only advertise routes out interfaces where the masks match (this is your problem)
They automatically summarize at major network boundaries (see bonus material, below)

Interface netmasks

To make your topology work, your masks will have to match on all RIPv1 interfaces, unless you use a classless routing protocol (such as RIPv2, EIGRP, OSPF, or ISIS). If you need to use RIPv1, then reconfigure your topology such that all interfaces have matching masks, like this...

Functional RIPv1 topology
=========================

N1 ---- (172.16.1.1/24) R1 (172.16.3.1/24) ----- (172.16.3.2/24) R2 ----- (172.16.2.1/24) N2

Bonus material: RIPv1 Auto-summarization Example

Since this also tends to trip people up, I am including an example of RIPv1 auto-summarization dynamics.

When I mention major network boundaries below, I'm talking about the classic definitions for Class A, Class B, and Class C IPv4 networks...

Class A (8-bit netmasks): 1.0.0.0/8 - 127.0.0.0/8
Class B (16-bit netmasks): 128.0.0.0/16 - 191.255.0.0/16
Class C (24-bit netmasks): 192.168.0.0/24 - 223.255.255.0/24

Moving on to the RIPv1 auto-summarization example... I will use matching /24 interface netmasks for simplicity.

Lo0:
192.168.1.0/24
Lo1:
1.1.2.0/24
+----+                  +----+                     +----+
| R1 +------------------+ R2 +---------------------+ R3 |
+----+                  +----+                     +----+
          1.1.1.0/24              172.16.1.0/24

router rip               router rip                 router rip
 version 1                version 1                  version 1
 network 192.168.1.0      network 1.0.0.0            network 172.16.0.0
 network 1.0.0.0          network 172.16.0.0

The routing table on R3 contains:
C     172.16.1.0/24
R     1.0.0.0/8        <--- 1.1.1.0/24 and 1.1.2.0/24 are "hidden" by the 
                            classful summary at R2

R     192.168.1.0/24   <--- 192.168.1.0/24 passes transparently through R2
                            since it's a Class C network itself and is not 
                            summarized at R2

R1 and R2 are connected by subnets of the 1.0.0.0/8 major network, so 1.1.1.0/24 and 1.1.2.0/24 are advertised between R1 and R2; however, the link between R2 and R3 is not in 1.0.0.0/8, therefore R2 performs automatic summarization of subnets of 1.0.0.0/8 and subnets of 172.16.0.0/16.

When subnets of a major network are summarized, they get hidden by the summarized route... This happens at R2 when 1.1.1.0/24 and 1.1.2.0/24 are summarized to 1.0.0.0/8. Cisco routers cannot disable auto-summarization under RIP version 1 (but they can for RIPv2).

Routing – Why is RIP not scalable

Most of the references say "RIP is not scalable" hence can be used only in smaller networks. But none say "WHY?" What is that in RIP that actually preventing it from scaling to larger networks? And HOW OSPF overcomes the disadvantage of RIP?

Summary

RIPv1 floods routes frequently (every 30 seconds), which introduces large CPU loads as the size of the routing table increases. This is compounded by the reality that RIP recalculates metrics for every route, every time it floods the route out a new interface (regardless of whether there was a topology change or not). As the number of routes increases, this is prevents RIP from scaling as well as other protocols.
RIPv1 is classful
OSPF floods routes infrequently. If there is a topology change in the network, only the LSAs changed are flooded; metrics are calculated on these changes. As such, on-demand route calculations, on LSAs which are flooded infrequently, make OSPF scale well.
OSPF is a classless protocol, which supports CIDR, which also makes it a more scalable protocol than RIPv1

RIPv1 Details:

RIP is a Distance Vector protocol; all Distance Vector protocols run the Bellman-Ford algorithm. At a high level, this means:

All routes in the routing table are periodically announced through all interfaces.
RIP floods routes out every RIP interface every 30 seconds. Since RIP routes by rumor, this means every router in the topology must work in direct proportion to the size of the routing table every 30 seconds. The CPU load and traffic jitter implications of this become scary as you approach thousands of routes (particularly on CPU-based routers with no hardware forwarding).
The RIP protocol itself has a fixed maximum hop-count at 15 hops (which is small if you need to do any form of path-weighting).
Protocols based on Bellman-Ford algorithms are prone to routing loops, and count-to-infinity issues.

OSPF Details:

By way of contrast, OSPF is a link-state protocol running Dijkstra's algorithm. As such:

Each router only announces its directly connected and redistributed routes in routing updates (called LSAs).
Each router floods their own LSA every 30 minutes by default (because the route refresh timer is 3600 seconds, or 1 hour)
LSAs are also flooded when triggered by changes in the routing table
Routers use Dijkstra's algorithm to perform distributed LSA path calculations only when necessary.