Wireshark-dev: Re: [Wireshark-dev] First 4 bytes in SNMP application data

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: chuck c <bubbasnmp@xxxxxxxxx>
Date: Thu, 3 Mar 2022 12:03:41 -0600
Whoops - typo on the version.   
value=1 is snmpv2c

https://gitlab.com/wireshark/wireshark/-/blob/master/epan/dissectors/packet-snmp.c#L2115
static const value_string snmp_Version_vals[] = {
  {   0, "version-1" },
  {   1, "v2c" },
  {   2, "v2u" },
  {   3, "snmpv3" },
  { 0, NULL }
};

Not sure that I've ever seen v2u or v2p out in the wild.
https://www.ibm.com/docs/en/zos/2.4.0?topic=protocols-snmpv2
"The SNMPv2 protocol standards made several attempts to address the security issues associated with the SNMPv1 protocol, with the party-based security model SNMPv2p, the user-based security model SNMPv2u, and the community-based security model SNMPv2c."

On Thu, Mar 3, 2022 at 11:52 AM chuck c <bubbasnmp@xxxxxxxxx> wrote:
SNMP (https://datatracker.ietf.org/doc/html/rfc1157) uses ASN.1 BER (https://en.wikipedia.org/wiki/X.690#BER_encoding) to define the data.

"These types of encodings are commonly called type–length–value (TLV) encodings"

(See https://datatracker.ietf.org/doc/html/rfc1592 for a packet diagram)

It's a bit confusing since there is no 0x30 in the BER tags list. Looking farther down into the details it's explained:
"In the initial octet, bit 6 encodes whether the type is primitive or constructed,"

So the first byte is a Constructed (C) (0x20) + SEQUENCE (0x10) = 0x30.
Next byte is length then the data which is more TLV objects.

If first 5 bytes area 0x30 0x6d 0x02 0x01 0x01:
0x30 = constructed sequence
0x6d = length
0x02 = first object is INTEGER
0x01 = length = 1 byte
0x01 = value = 1 (SNMPv1)

chuckc



On Thu, Mar 3, 2022 at 10:16 AM Chandra Japan <chandra.japan2013@xxxxxxxxx> wrote:
Hi Wireshark Team,

Please let me know 

what does first 4 bytes in SNMP Data indicate

because I could see from 5th byte I see version and other things

Regards
Chandramohan
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe