In case you have only fragments with snmp traps, you might want to capture all frames to/from port 162 and all fragments that have an offset not equal to 0. The only extra packets you will have in your trace will be fragments of packets that were not snmp traps. Which might not be to much noise :-)
You can use the following BPF filter for it:
ip and udp and (port 162 or ip[6:2] & 0x1fff != 0)
Cheers, Sake
On 14 dec 2012, at 10:17, Peter Valdemar Mørch wrote: Thank you for your reply.
I can see that I have been a little unclear with my words. I'm fine with capturing more than SNMP. Hard disk space is cheap and even all UDP is manageable in size for us. I would just like to end up after post-processing with all SNMP traps including fragmented ones, using only TShark.
To this end, I tried your suggestion: > tshark -2 -r unfiltered.pcap -R snmp -w snmp.pcap
To which I got: Segmentation fault (core dumped)
I've created a tiny .pcap file containing two frames - a single two-fragment SNMP trap - that also exhibits this. It is attached. Hope the mailing list allows attachments...
I'm just surprised it doesn't seem possible.
Again, thank you for your reply!
Peter
> tshark -v TShark 1.8.2
Copyright 1998-2012 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GLib 2.34.0, with libpcap, with libz 1.2.7, with POSIX
capabilities (Linux), with SMI 0.4.8, with c-ares 1.9.1, with Lua 5.1, without Python, with GnuTLS 2.12.14, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP.
Running on Linux 3.5.0-17-generic, with locale en_US.UTF-8, with libpcap version
1.3.0, with libz 1.2.7.
Built using gcc 4.7.2.
<linkDownFragmented.pcap>___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe |