IP Next Hop and BGP Next Hop analysis

Comprehensive user manual for CySight Ai-Driven Network and Endpoint Detection and Response (NDR, EDR) Forensics and Application Performance Monitoring (APM)

IP Next Hop and BGP Next Hop analysis

Hops are considered to be the routers/gateways along a packet's path as it travels from its source to a destination.

All the standard CySight Reporting techniques can be used with Next Hop AND BGP Next Hop analysis including Top X/Y Cross-Sectional and Visual Analytics.


IP Next Hop

"Next hop" is a routing term that refers to the next closest router a packet can go through.

The next hop is among the series of routers that are connected together in a network and is the next possible destination for a data packet. More specifically, next hop is an IP address entry in a router's routing table, which specifies the next closest/most optimal router in its routing path.

CySight uses the Next Hop information to automatically build the linkages used in the Topology setup which enables CySight to provide logical deduplication.

Next Hop Fields can also be added as a column in a Report using the Custom Forensics Display by or as a criteria filter.


Every single router maintains its routing table with a next hop address, which is calculated based on the routing protocol used and its associated metric.

A router has to manage the information related to its topological surroundings, specifically about nearby routers. Whenever a router maintains information about the routers in its routing table, the lowest metric among them is known as the next hop or the next optimal router.

BGP Next-Hop

The CySight BGP Next Hop Support feature lets you find out through which service provider the traffic is going. This functionality is useful if you have arrangements with several other service providers for fault-protected delivery of traffic. The feature lets you charge customers more per packet when traffic has a more costly destination--you can pass on some of the cost associated with expensive transoceanic links or charge more when traffic is sent to another ISP with which you have an expensive charge agreement
The NEXT_HOP attribute is a well-known mandatory attribute in BGP. Well-known means that all BGP implementations must recognize this attribute while mandatory means that it must be sent in all UPDATE messages that contain an NLRI.

The EBGP next-hop attribute is the IP address that is used to reach the advertising router. For EBGP peers, the next-hop address is the IP address of the connection between the peers. For IBGP, the EBGP next-hop address is carried into the local AS

If a service provider is using BGP to exchange routes within an AS, then the protocol is referred to as Interior BGP (IBGP).
How Does BGP Work?

BGP uses TCP as the transport protocol, on port 179. Two BGP routers form a TCP connection between one another. These routers are peer routers. The peer routers exchange messages to open and confirm the connection parameters.

BGP routers exchange network reachability information. This information is mainly an indication of the full paths that a route must take in order to reach the destination network. The paths are BGP AS numbers. This information helps in the construction of a graph of ASs that are loop-free. The graph also shows where to apply routing policies in order to enforce some restrictions on the routing behavior.

Any two routers that form a TCP connection in order to exchange BGP routing information are "peers" or "neighbors". BGP peers initially exchange the full BGP routing tables. After this exchange, the peers send incremental updates as the routing table changes. BGP keeps a version number of the BGP table. The version number is the same for all the BGP peers. The version number changes whenever BGP updates the table with routing information changes. The send of keepalive packets ensures that the connection between the BGP peers is alive. Notification packets go out in response to errors or special conditions.
Note that the Egress interface, IP Nexthop or BGP Nexthops are not part of the key, and may not be accurate if the route changes before the expiration of the flow, or if load-balancing is done per-packet.

Configuring NetFlow BGP Next Hop Support for Accounting and Analysis, https://www.cisco.com/c/en/us/td/docs/i ... xt-hop.pdf, Cisco
BGP next hop processing, https://blog.ipspace.net/2011/08/bgp-ne ... ssing.html, By Ivan Pepelnjak
Understanding BGP Next-hop Diversity, https://www.irl.cs.ucla.edu/~j13park/slides-gi11.pdf, Jaeyoung Choi, Jong Han Park, Pei-chun Cheng, Dorian Kim, Lixia Zhang