How to Analyze Network Protocols, Learn More >>

Being able to support more than 300 protocols in the latest version, Capsa Network Sniffer make it easy to analyze protocols in network and understand what is happening.

Recommend Network Analysis Software >>

RFC 2281

The Cisco Hot Standby Router Protocol (HSRP) provides a mechanism which is designed to support non-disruptive failover of IP traffic in certain circumstances. In particular, the protocol protects against the failure of the first hop router when the source host cannot learn the IP address of the first hop router dynamically. The protocol is designed for use over multi-access, multicast or broadcast capable LANs (e.g., Ethernet). A large class of legacy host implementations that do not support dynamic discovery are capable of configuring a default router. HSRP provides failover services to those hosts.

HSRP runs on top of UDP, and uses port number 1985. Packets are sent to multicast address with TTL 1. Routers use their actual IP address as the source address for protocol packets, not the virtual IP address. This is necessary so that the HSRP routers can identify each other. The format of the data portion of the UDP datagram is:


Op code


 Holdtime  Priority  Group  Reserved

Authentication data

Authentication data  

Virtual IP address

1 byte 1 byte 1 byte 1 byte
HSRP structure

HSRP version number, 0 for this version.

Op code
Type of message contained in the packet. Possible values are:
0 - Hello, sent to indicate that a router is running and is capable of becoming the active or standby router.
1 - Coup, sent when a router wishes to become the active router.

2 - Resign, sent when a router no longer wishes to be the active router.

Internally, each router in the standby group implements a state machine. The State field describes the current state of the router sending the message. Possible values are:
0    Initial
1    Learn
2    Listen
4    Speak
8    Standby
16   Active

Approximate period between the Hello messages that the router sends (for Hello messagesonly). The time is given in seconds. If the Hellotime is not configured on a router, then it may be learned from the Hello message from the active router. The Hellotime should only be learned if no Hellotime is configured and the Hello message is authenticated. A router that sends a Hello message must insert the Hellotime that it is using in the Hellotime field in the Hello message. If the Hellotime is not learned from a Hello message from the active router and it is not manually configured, a default value of 3 seconds is recommended.

The amount of time, in seconds, that the current Hello message should be considered valid. (For Hello messags only.)

Used to elect the active and standby routers. When comparing priorities of two different routers, the router with the numerically higher priority wins. In the case of routers with equal priority the router with the higher IP address wins.

Identifies the standby group. For Token Ring, values between 0 and 2 inclusive are valid. For other media, values between 0 and 255 inclusive are valid.

Authentication data
(8 bytes) Clear-text 8 character reused password. If no authentication data is configured, the recommended default value is 0x63 0x69 0x73 0x63 0x6F 0x00 0x00 0x00.

Virtual IP address
(4 bytes) Virtual IP address used by this group. If the virtual IP address is not configured on a router, then it may be learned from the Hello message from the active router. An address should only be learned if no address was configured and the Hello message is authenticated.

Vulnerabilities for this protocol (from CVE)

CVE ID Protocol Source Port Targetport

TCP/IP Protocols: