Search Query Guide
Learn the search query language for BGP events and RADB data.
Tips for Efficient Searching
- When searching events, use fields marked with fast for extremely fast searches. These fields have lookup tables on the backend that dramatically improve query performance.
- * Be specific with your queries. Searching across columns without lookup tables and broad categories will take a long time.
Table of Contents
Quick Start
The search bar automatically detects what you're searching for:
| Input | Detected As | Action |
|---|---|---|
12345 or AS12345 |
ASN | Opens ASN overview page |
1.2.3.0/24 |
Prefix | Opens prefix overview page |
1.2.3.4 |
IP Address | Shows prefix hierarchy |
peer_asn: 13335 |
Events query | Searches BGP events |
route.descr: "Cloudflare" |
RADB query | Searches RADB registry |
cloudflare |
Free text | Searches RADB descriptions |
Query Syntax
Basic Structure
Queries use a field: value syntax:
Operators
Combine multiple conditions with boolean operators:
| Operator | Description | Example |
|---|---|---|
AND |
Both conditions must match | peer_asn: 13335 AND origin_asn: 13335 |
OR |
Either condition can match | peer_asn: 13335 OR peer_asn: 2914 |
NOT |
Exclude matches | NOT peer_asn: 13335 |
( ) |
Group conditions | (peer_asn: 13335 OR peer_asn: 2914) AND event_type: withdrawal |
Value Formats
Plain values (no spaces):
Quoted values (with spaces or special characters):
Communities (always quote values with colons):
BGP Events Search
Search historical BGP routing events including announcements and withdrawals from RouteViews and RIPE RIS collectors.
Collector & Peer Fields
collector_id
fast
BGP route collector identifier (e.g., rrc00, route-views2)
Identifies which RouteViews or RIPE RIS collector received the update. Useful for filtering to specific vantage points.
peer_ip
IP address of the BGP peer session
The IP address of the BGP session where the update was received. Useful for investigating specific peering sessions.
peer_asn
fast
ASN of the BGP peer advertising the route
The AS number of the BGP neighbor that sent the update. This is NOT the origin AS - it's the immediate peer the collector received the update from.
AS Path Fields
as_in_path
fast
Search for routes where this ASN appears anywhere in the AS path
The most common way to find routes that transit through a specific network. For example, as_in_path: 3356 finds all routes that traverse Level3/Lumen's network.
as_path
Exact AS path match (space-separated, quoted)
Matches the exact AS path sequence. Must be space-separated and quoted. Useful for finding routes with a specific path structure.
origin_asn
fast
The originating ASN (last AS in path)
The ASN that originated the route (the rightmost AS in the path). Use this to find all announcements where a specific AS is claiming to be the origin.
Community Fields
community
fast
Exact BGP community match (e.g., 2914:420)
BGP communities are 32-bit values typically represented as ASN:value. Use this for exact matches. Always quote the value since it contains a colon.
community_asn
fast
Match communities by ASN (left side)
Matches communities where the left side (ASN portion) equals the specified value. community_asn: 2914 matches 2914:100, 2914:420, 2914:666, etc.
community_action
fast
Match communities by action value (right side)
Matches communities where the right side equals the specified value. community_action: 666 matches blackhole communities like 2914:666, 3356:666, etc.
Route Attributes
prefix
fast
IP prefix in CIDR notation
The announced or withdrawn IP prefix. Use CIDR notation. Supports both IPv4 and IPv6.
next_hop
BGP next hop IP address
The BGP NEXT_HOP attribute - the IP address packets should be forwarded to for this route.
med
Multi-Exit Discriminator value
A numeric value used to influence inbound routing when multiple entry points exist. Lower values are preferred.
event_type
Event type: "announcement" or "withdrawal"
Filter to specific event types - announcements (route advertised) or withdrawals (route removed).
RADB Search
Search the Routing Assets Database (Internet Routing Registry) for registration information. RADB contains authoritative records of who is authorized to announce what prefixes.
Route Objects
Route objects document which AS is authorized to originate a prefix.
route.prefix
The IP prefix being registered. Use to find registrations for specific address space.
route.origin_as
The AS number authorized to originate this prefix. This is what BGP validators check against actual BGP announcements.
route.descr
regex
Free-text description, typically containing organization name. Supports regex for flexible matching.
route.mnt_by
regex
The maintainer object that controls this registration. Maintainers authenticate changes to objects. Finding routes by maintainer helps identify all prefixes managed by an organization.
route.remarks
regex
Additional context or notes. Often contains contact info, NOC details, or references to policies.
route.admin_c / route.tech_c
regex
NIC handles (identifiers) for administrative and technical contacts. Links to person or role objects.
Aut-num Objects
Aut-num objects register Autonomous System Numbers and their routing policies.
aut_num.asn
The AS number. Use to look up a specific AS registration.
aut_num.as_name
regex
A short name or identifier for the AS, like "CLOUDFLARE" or "GOOGLE". Often used in peering filters.
aut_num.descr
regex
Description of the AS, typically containing the organization name.
aut_num.remarks
regex
Free-text notes. Often contains peering policy information (open, selective, restrictive), NOC contact details, or references to external documentation.
aut_num.mnt_by
regex
The maintainer responsible for this AS registration.
AS-SET Objects
AS-SETs group multiple ASNs together, commonly used for representing customer cones or peering groups.
as_set.as_set_name
regex
The name of the AS-SET, typically starting with "AS-". Examples: AS-CLOUDFLARE, AS-HURRICANE, AS-GOOGLE.
as_set.members
regex
The ASNs or nested AS-SETs contained in this set. Use to find AS-SETs that include a specific ASN.
as_set.mbrs_by_ref
regex
Allows members to be added by reference - any AS whose maintainer is listed here can add themselves. Used for customer cone management.
Route-SET Objects
Route-SETs group multiple prefixes together, similar to AS-SETs but for address space.
route_set.route_set_name
regex
The name of the route-set.
route_set.members / route_set.mp_members
regex
The prefixes contained in the set. members is for IPv4, mp_members for IPv6.
Contact Objects
Person and role objects contain contact information for network administrators.
contact.nic_hdl
regex
The NIC handle is a unique identifier like "JD1234-RIPE". Used to reference contacts from other objects.
contact.name
regex
Full name of the person or role title.
contact.email
regex
Contact email address. Useful for finding who manages specific infrastructure.
Maintainer Objects
Maintainer objects control authentication and authorization for IRR changes.
mntner.mntner
regex
The maintainer name, like "CLOUDFLARE-MNT" or "GOOGLE-MNT".
mntner.descr
regex
Description of the maintainer.
Advanced Examples
Investigating a Prefix Hijack
1. Find who should be originating the prefix:
2. Find actual BGP announcements:
3. Find announcements from unexpected origins:
Tracking Transit Relationships
Find routes that transit through Level3 (AS3356):
Find Google routes that transit Cogent:
Community-Based Analysis
Find all blackhole routes (common community value 666):
Find routes tagged with Cloudflare communities:
RADB Registration Analysis
Find all objects maintained by an organization:
Find AS-SETs containing a specific ASN:
Find contacts by email domain: