HackTricks-wiki · carlospolop · Mar 12, 2026
diff --git a/src/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md b/src/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md
@@ -58,6 +58,30 @@
   - `--as`: Defines the EIGRP AS number.
   - `--src`: Sets the attacker’s IP address.
 
+## **Protocol Notes for Crafting EIGRP Packets**
+
+- **Packet types**: HELLO (includes ACK), UPDATE, QUERY (includes SIA-Query), REPLY (includes SIA-Reply), REQUEST.
+- **Transport**: EIGRP is IP protocol **88**, typically multicast to **224.0.0.10** (IPv4) / **FF02::A** (IPv6).
+- **Authentication TLV**: RFC 7868 defines authentication types **0x02 (MD5)** and **0x03 (SHA2-256)**.
+
+```bash
+# Capture EIGRP over IPv4 (IP protocol 88)
+sudo tcpdump -ni eth0 ip proto 88
+
+# Capture EIGRP over IPv6 (IP protocol 88)
+sudo tcpdump -ni eth0 ip6 proto 88
+```
+
+## **Query-Flooding / SIA-Induced Neighbor Reset**
+
+- **Behavior**: If a router does not receive a **Reply** to a **Query** within ~3 minutes, it enters **Stuck-In-Active (SIA)** and clears the neighbor adjacency.
+- **Attack idea**: Force routers into the **active** state (for example, by advertising and withdrawing routes or poisoning key prefixes) and then **suppress/delay Replies**. This can drive repeated SIA events and adjacency resets, leading to sustained instability or DoS.
+
+## References
+
+- [RFC 7868 - Cisco's Enhanced Interior Gateway Routing Protocol (EIGRP)](https://datatracker.ietf.org/doc/html/rfc7868)
+- [Troubleshoot EIGRP Common Issues (SIA)](https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/118974-technote-eigrp-00.html)
+
 {{#include ../../banners/hacktricks-training.md}}