We want to capture SNMP traps. The simple
tshark -f 'port 162'
Doesn't work if there are SNMP traps that are fragmented, because then we don't get all the fragments. I understand.
Wireshark now since rev 41216 saves all dependent packets too when one saves all packets according to the display filter [1] [2]. I've tried wireshark's version 1.8.2 and it works as described.
I therefore expected this to work for tshark 1.8.2 too:
tshark -f udp -w alludp.pcap
# wait for it, wait for it...
tshark -r alludp.pcap -R snmp -w snmp.pcap
But it doesn't work. I only get one packet - it doesn't save all fragments. Two questions:
1) Isn't the tshark command above the tshark equivalent of the same use case? I expected it to work similarly (and save all fragments, just like wireshark). Is there something wrong with my mental model / expectations? Is there some other way to achieve this?
2) Is there some other way to capture exactly SNMP traps (UDP port 162) including fragmented ones with tshark avoiding having to install and start up wireshark? We're on a headless/X-less system so for us tshark + screen is much more practical than wireshark will ever be.
1:
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=33152:
http://anonsvn.wireshark.org/viewvc?revision=41216&view=revision
--
Peter Valdemar Mørch
http://www.morch.com