Wireshark-users: Re: [Wireshark-users] tshark: How to capture SNMP traps (UDP port 162) that migh

From: Peter Valdemar Mørch <peter@xxxxxxxxx>
Date: Fri, 14 Dec 2012 10:17:50 +0100
Thank you for your reply.

I can see that I have been a little unclear with my words. I'm fine with capturing more than SNMP. Hard disk space is cheap and even all UDP is manageable in size for us. I would just like to end up after post-processing with all SNMP traps including fragmented ones, using only TShark.

To this end, I tried your suggestion:
> tshark -2 -r unfiltered.pcap -R snmp -w snmp.pcap

To which I got:
Segmentation fault (core dumped)

I've created a tiny .pcap file containing two frames - a single two-fragment SNMP trap - that also exhibits this. It is attached. Hope the mailing list allows attachments...

I'm just surprised it doesn't seem possible.

Again, thank you for your reply!

Peter

> tshark -v
TShark 1.8.2

Copyright 1998-2012 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.34.0, with libpcap, with libz 1.2.7, with POSIX
capabilities (Linux), with SMI 0.4.8, with c-ares 1.9.1, with Lua 5.1, without
Python, with GnuTLS 2.12.14, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP.

Running on Linux 3.5.0-17-generic, with locale en_US.UTF-8, with libpcap version
1.3.0, with libz 1.2.7.

Built using gcc 4.7.2.
--
Peter Valdemar Mørch
http://www.morch.com

Attachment: linkDownFragmented.pcap
Description: Binary data