Wireshark · Wireshark-users: Re: [Wireshark-users] filter SNMP traps on enterprise

Wireshark-users: Re: [Wireshark-users] filter SNMP traps on enterprise

From: Tony Barratt <tbarratt@xxxxxxxxxxx>

Date: Thu, 23 Jul 2009 11:24:54 +0100

Bedankt!
Tried that.
If use filter ="snmp.name contains 1.3.6.1.4.1.9.9.26" I get a subset of trapd (still 10 000s) of traps roughly in line with what I am expecting.

For example:
..
SNMPv2-MIB::snmpTrapOID.0 (1.3.6.1.6.3.1.1.4.1.0): 1.3.6.1.4.1.9.9.26.2.0.2 (SNMPv2SMI::enterprises.9.9.26.2.0.2)
..
Actually I am looking for 1.3.6.1.4.1.9.9.26.2.0.1 to 1.3.6.1.4.1.9.9.26.2.0.4 traps.

But if I use filter =="snmp.name contains 1.3.6.1.4.1.9.9.26.2"
I get no matches.

Which is mysterious cos I was expecting for sure to match this line -> SNMPv2-MIB::snmpTrapOID.0 (1.3.6.1.6.3.1.1.4.1.0): 1.3.6.1.4.1.9.9.26.2.0.2

Any suggestions?

TIA

Tony
Date: Wed, 22 Jul 2009 23:25:51 +0200
From: "Sake Blok" <sake@xxxxxxxxxx>
Subject: Re: [Wireshark-users] e:  filter SNMP  traps on enterprise
To: "Community support list for Wireshark"
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <8239C94436C44C3EB21EF85335434535@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

yes, you can use "snmp.name contains 1.3.6.1.4.1" as a display filter within Wireshark too :-)

Cheers,


Sake

----- Original Message -----From: Tony BarrattTo: wireshark-users@xxxxxxxxxxxxxSent: Wednesday, July 22, 2009 11:10 PM

 Subject: [Wireshark-users] e: filter SNMP traps on enterprise


 Hi,

 Thanks for that!
 I am stuck with tshark.exe (did not know that was available till i read your post!) as only have access to windows version.
 I will try this in a vista command window tomorrow.
 Can I also do something equivalent inside wireshark GUI I wonder?

 BR

 Tony

Date: Wed, 22 Jul 2009 19:55:57 +0200
From: j.snelders@xxxxxxxxxx
Subject: Re: [Wireshark-users] filter SNMP  traps on enterprise
To: "Community support list for Wireshark"
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <4A542FF20000B5DD@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="US-ASCII"

Hi Tony,

Please see my previous post:
http://www.wireshark.org/lists/wireshark-users/200907/msg00175.html

You can also use:
$ tshark -r 20080512161200.pcap  -R "snmp.name contains 1.3.6.1.4.1" -T fields
-e snmp.name | sort | uniq
1.3.6.1.4.1.6247.4.8.5.13.0
1.3.6.1.4.1.6247.4.9.2.1.16.2
1.3.6.1.4.1.6247.4.9.2.1.16.3

$ tshark -r 20080512161200.pcap -R "snmp.name contains 1.3.6.1.4.1.6247.4.9.2.1.7.2"
-T fields -e snmp.name | sort | uniq
1.3.6.1.4.1.6247.4.9.2.1.16.2

HTH
Joan

On Wed, 22 Jul 2009 16:13:17 +0100 Tony Barratt wrote:
 Hello List,

I have just installed wireshark 1.2.1 on Windows and I want to use it to

analyze some SNMP traps collect on a linux box with tcpdump,
using tcpdump -nnvvXSs 1514 -i eth0 -C 15 udp and port 162 -w bert.cap.

If I understand correctly from using google this will allow for trapanalysis.


Have now loaded a 10 min capture file into wireshark, There are over 100

000 packets within.
I need to filter stuff out but the source is always the same because the

traps arrive via a trap forwarder.

One trap I am very interested in is demandNbrCallDetails or because Idont have the mibs loaded 1.3.6.1.4.1.9.9.26.2.0.4.


Can someone please tell me if I can look inside the trap and  filter on

say the enterprise ( 1.3.6.1.3.1.1.5 for example)

or the agent-addr (196.168.12.12 for example) ?

Thanks v much in advance

Tony

Follow-Ups:
- Re: [Wireshark-users] filter SNMP traps on enterprise
  - From: j . snelders

Prev by Date: Re: [Wireshark-users] [wireshark-user] GUI and radiotap.datarate
Next by Date: Re: [Wireshark-users] filter SNMP traps on enterprise
Previous by thread: Re: [Wireshark-users] filter SNMP traps on enterprise
Next by thread: Re: [Wireshark-users] filter SNMP traps on enterprise
Index(es):
- Date
- Thread