Ethereal-users: Re: [Ethereal-users] Malformed Packet:SNMP

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Martin Regner" <martin.regner@xxxxxxxxx>
Date: Tue, 26 Nov 2002 20:06:05 +0100
Tony Mitchell wrote:
<Does anybody know ALL the conditions that cause an SNMP packet to be
<reported as "Malformed"

No, I don't know all the conditions. 
I noticed that there were some packets in the PROTOS SNMP test-suite captures (http://www.ethereal.com/sample/) that Ethereal indicated as [Malformed Packet: SNMP].
I don't know if all these packets really are malformed, but they might be.

I tried with another sniffer and it indicated strange results for the packets I checked,
but it didn't indicate it as clear as Ethereal in most cases. Sometimes it showed length as zero
and just some rubbish data, but in some cases "packet to small", "incorrect Object ID" or similar.
I will try with some other sniffers tomorrow to see what they say.

Below is one example from Ethereal:

Frame 15321 (100 bytes on wire, 100 bytes captured)
Ethernet II, Src: 00:20:af:1b:07:fa, Dst: 00:e0:29:68:8b:fb
Internet Protocol, Src Addr: 192.168.0.2 (192.168.0.2), Dst Addr: 192.168.0.1 (192.168.0.1)
User Datagram Protocol, Src Port: 1044 (1044), Dst Port: 162 (162)
Simple Network Management Protocol
    Version: 1
    Community: public
    PDU type: TRAP-V1
    Enterprise: 1.3.6.1.4.1.4.1.2.21
    Agent address: 127.0.0.1
    Trap type: ENTERPRISE SPECIFIC
    Specific trap type: 0 (0)
    Timestamp: 15320
    Object identifier 1: 1.3.6.1.2.1.2.1.0
[Malformed Packet: SNMP]

0000  00 e0 29 68 8b fb 00 20 af 1b 07 fa 08 00 45 00   ..)h... ......E.
0010  00 56 4f c9 00 00 40 11 a9 7a c0 a8 00 02 c0 a8   [email protected]......
0020  00 01 04 14 00 a2 00 42 98 e9 30 38 02 01 00 04   .......B..08....
0030  06 70 75 62 6c 69 63 a4 2b 06 09 2b 06 01 04 01   .public.+..+....
0040  04 01 02 15 40 04 7f 00 00 01 02 01 06 02 01 00   ....@...........
0050  43 02 3b d8 30 0e 30 0c 06 08 2b 06 01 02 01 02   C.;.0.0...+.....
0060  01 00 43 00                

The problem occurs for the last two octets:
0x43 means TimeTicks I think and 0x00 means length 0.
I don't think that 0 is a valid length for TimeTicks.

 INTEGER/Integer32 0x02 
OCTET STRING/BITS 0x04 
NULL 0x05 
OBJECT IDENTIFIER 0x06 
IpAddress 0x40 
NetworkAddress 0x40 
Counter/Counter32 0x41 
Unsigned32 0x42 
Gauge/Gauge32 0x42 
TimeTicks 0x43 
Opaque 0x44 
Counter64 0x46 

Could you send a capture of the packet you got "Malformed packet" for, so we can see the hex data also?

Regards,
  Martin