Wireshark-dev: Re: [Wireshark-dev] First 4 bytes in SNMP application data

From: chuck c <bubbasnmp@xxxxxxxxx>
Date: Fri, 25 Mar 2022 17:31:19 -0500
Setting (checkbox) this BER preference will display the SNMP byte details in the Packet Details.

Edit -> Preferences -> Protocols -> BER: "Show internal BER encapsulation tokens"

Simple Network Management Protocol
    00.. .... = Class: UNIVERSAL (0)
    ..1. .... = P/C: Constructed Encoding
    ...1 0000 = Tag: SEQUENCE (16)
    Length: 109
    00.. .... = Class: UNIVERSAL (0)
    ..0. .... = P/C: Primitive Encoding
    ...0 0010 = Tag: INTEGER (2)
    Length: 1
    version: v2c (1)
    00.. .... = Class: UNIVERSAL (0)
    ..0. .... = P/C: Primitive Encoding
    ...0 0100 = Tag: OCTET STRING (4)
    Length: 20


On Thu, Mar 3, 2022 at 12:03 PM chuck c <bubbasnmp@xxxxxxxxx> wrote:
Whoops - typo on the version.   
value=1 is snmpv2c

static const value_string snmp_Version_vals[] = {
  {   0, "version-1" },
  {   1, "v2c" },
  {   2, "v2u" },
  {   3, "snmpv3" },
  { 0, NULL }
};

Not sure that I've ever seen v2u or v2p out in the wild.
"The SNMPv2 protocol standards made several attempts to address the security issues associated with the SNMPv1 protocol, with the party-based security model SNMPv2p, the user-based security model SNMPv2u, and the community-based security model SNMPv2c."

On Thu, Mar 3, 2022 at 11:52 AM chuck c <bubbasnmp@xxxxxxxxx> wrote:

"These types of encodings are commonly called type–length–value (TLV) encodings"


It's a bit confusing since there is no 0x30 in the BER tags list. Looking farther down into the details it's explained:
"In the initial octet, bit 6 encodes whether the type is primitive or constructed,"

So the first byte is a Constructed (C) (0x20) + SEQUENCE (0x10) = 0x30.
Next byte is length then the data which is more TLV objects.

If first 5 bytes area 0x30 0x6d 0x02 0x01 0x01:
0x30 = constructed sequence
0x6d = length
0x02 = first object is INTEGER
0x01 = length = 1 byte
0x01 = value = 1 (SNMPv1)

chuckc



On Thu, Mar 3, 2022 at 10:16 AM Chandra Japan <chandra.japan2013@xxxxxxxxx> wrote:
Hi Wireshark Team,

Please let me know 

what does first 4 bytes in SNMP Data indicate

because I could see from 5th byte I see version and other things

Regards
Chandramohan
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe