Auto detect a regular expression for your prefixes

Posted by Andree Toonk - October 4, 2008 - BGPmon.net, regular expressions - 7 Comments
BGPmon offers different ways to monitor your prefixes. One of the tools is using a Regex for your ASpaths. Basically what it does is, compare every BGP update for your prefix with the ASpaths regex you submitted. If the Regex doesn't match the ASpath in this particular update an alarm (code41) is generated.  ASregex are a very powerfull method to monitor your prefixes. However it might be challenging to write a regex for your prefix. The FAQ and Help link in the My Prefixes page offer some help and examples. I think a good regex should have the originAS as well as upstream AS's. So something like:
	(^|\s)(6327|13768|852) 271$
In this case AS271 can be seen behind 3 upstream (transit) AS's. If it would be seen behind for example AS6509 it would generate an alarm. If you have a lot of upstreams and/or peers, it might be quite a job to create a regex for this. Especially if you're peering at an Internet Exchange the number of peers might be quite high. To help you with this I added a new feature to BGPmon.net. This feature will try to detect all your upstreams/peers for your AS/prefix and will build a regex for you. This should reduce the false positive code41 (ASpath regex mismatch) alarms.
Auto detect regular expressions for your prefix

Auto detect regular expressions for your prefix

You can use this functionality from the My Prefixes page by clicking on the autodetect button.  It will list all the upstream AS's which are seen from the RIS servers I'm using and generate a Regex based on that data.  You can than copy paste this regular expression in to the My Prefixes page. Also see the screenshot of the result on the right hand side. If you created an account you can test it yourself for your prefix, otherwise you can test it using the demo account as this functionality work for demo@bgpmon.net as well. Hopefully you'll find this functionality usefull. If you have any feedback, please let me know.

7 comments

  • michael wong says:

    I’m using the regex function and was wondering how to make a regex which includes AS prepending?
    on different peerings I’m using different prepends. Do you have an example of that?

    Thanks michael

  • andree says:

    Hi Michael,

    You can use something like this: ( 271)+ meaning that 271 can occur multiple times.

    In this case AS271 may be prepended multiple times :
    \s(6327|13768|852|6509)( 271)+$

    I updated the help (in the My Prefixes section) with this information as well.
    hope that helps,
    Andree

  • Beat Vontobel says:

    Thanks a lot for your great tool!

    I’m also using the regex function and was wondering if there shouldn’t be a ‘\s’ or a ‘ ‘ (space) in front of the whole regex, so (using your example) /(6327|13768|852|6509)( 271)+$/ would not also match e.g. ‘16327 271’. I added a ‘\s’ in front of my regexes, but was wondering if you might be doing this already automatically “in the background”.
    Beat

  • andree says:

    Hi Beat,,

    Yes you are right! There should be a space (\s) in front of it otherwise it would match 16327 as well. It’s not adding spaces in the background. It basically takes the regex, verifies if it’s correct and tests if it matches against the aspath.

    Thanks for the feedback. I will update the documentation and change that in the regex auto generator!

    Thanks again,
    Andree

  • andree says:

    Hi beat,
    just did a bit of testing and realized that in some cases adding \s will make the regex fail.
    it should actually be this
    (^|\s)
    To catch the cases the aspath has a length of 2.
    So that would make a proper regex (this one allows as271 to prepend:
    (^|\s)(6327|13768|852|6509)( 271)+$

  • Beat Vontobel says:

    Hi Andree,
    thanks a lot for your quick reply. I just realized the ^-case as well from all the false alarms I got over the course of the night 🙂 and corrected that again.
    So just another question: Is there a possibility to “clear” alarms in the web interface? So next time I log in I’ll just see the new stuff? If not, this would be a cool feature!
    Thanks,
    Beat

  • andree says:

    Hi beat,
    You can delete historical alarms by clicking on the alarm (details) and then remove those entries. If i have time I will make this a bit easier, but for now that’s how you can delete it.

    Cheers, Andree

Leave a Reply

Your email address will not be published. Required fields are marked *