Thank you for your reply.
I can see that I have been a little unclear with my words. I'm fine with capturing more than SNMP. Hard disk space is cheap and even all UDP is manageable in size for us. I would just like to end up after post-processing with all SNMP traps including fragmented ones, using only TShark.
To this end, I tried your suggestion:
> tshark -2 -r unfiltered.pcap -R snmp -w snmp.pcap
To which I got:
Segmentation fault (core dumped)
I've created a tiny .pcap file containing two frames - a single two-fragment SNMP trap - that also exhibits this. It is attached. Hope the mailing list allows attachments...
I'm just surprised it doesn't seem possible.
Again, thank you for your reply!
Peter
> tshark -v
TShark 1.8.2
Copyright 1998-2012 Gerald Combs <
gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GLib 2.34.0, with libpcap, with libz 1.2.7, with POSIX
capabilities (Linux), with SMI 0.4.8, with c-ares 1.9.1, with Lua 5.1, without
Python, with GnuTLS 2.12.14, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP.
Running on Linux 3.5.0-17-generic, with locale en_US.UTF-8, with libpcap version
1.3.0, with libz 1.2.7.
Built using gcc 4.7.2.
Attachment:
linkDownFragmented.pcap
Description: Binary data