Wireshark-users: Re: [Wireshark-users] Malformed Packet - SNMP Trap

From: Rexford Park <rex.park@xxxxxx>
Date: Fri, 15 Nov 2013 21:50:05 +0000 (GMT)
Thanks for the tip Patrick. I just finished a major rewrite of the library to support both forms of BER length encoding. Now everything is working well.

On Aug 29, 2013, at 07:47 PM, Patrick Klos <patrick@xxxxxxxx> wrote:

Rexford Park wrote:
I've been working on an SNMP v2c Agent library for the Arduino
platform and hit a bit of a roadblock. So far the library works fine
on messages that are under 172 bytes long. Once the messages hit 172
bytes they aren't picked up by SNMP Managers and Wireshark lists them
as Malformed Packets.
I'm hoping I can find someone here that is more familiar with SNMP and
can help me figure out what exactly is wrong with the packet so that I
can dig into my code and fix the issue. Is there a way to get
Wireshark to tell me where the packet has failed?
Wireshark Output of a malformed trap:
0000 a8 20 66 28 f1 69 de ad be ef fe ee 08 00 45 00
0010 00 9e 00 03 40 00 80 11 e3 8e 0a 23 01 3d 0a 23
0020 01 3b 00 a1 00 a2 00 8a 75 15

Standard UDP/IP packet so far.

0020 30 80

According to BER rules, the basic SNMP encapsulation includes a tag,
length and value. This tag is 0x30, which is a 'sequence'. The length
of the value is 128 bytes, which is indeed 0x80 hex. But encoding the
length in BER requires that values above 127 use a multi-byte form where
the first byte has the high bit set (to indicate multi-byte encoding)
and the low 7 bits indicate the length of the value. To encode the
value of 128, you would encode it in 2 bytes as this:

81 80

0020 02 01 01 04
0030 06 70 75 62 6c 69 63 a7 73 02 04 00 00 00 02 02
0040 01 00 02 01 00 30 65 30 10 06 08 2b 06 01 02 01
0050 01 03 00 43 04 00 00 09 c5 30 19 06 0a 2b 06 01
0060 06 03 01 01 04 01 00 06 0b 2b 06 01 04 01 82 99
0070 3b 01 00 01 30 10 06 0b 2b 06 01 04 01 82 99 3b
0080 01 01 01 02 01 16 30 24 06 0b 2b 06 01 04 01 82
0090 99 3b 01 01 02 04 15 31 32 33 34 35 36 37 38 39
00a0 30 31 32 33 34 35 36 37 38 39 30 31
Thanks

Other then that, the rest of the packet looks fine to me.

So, your Ardunino's SNMP library needs a little work on its BER encoding
of lengths. (just change the '30 80' at the beginning of the SNMP data
to '30 81 80' and the packet would be OK)

Good luck! Let us know how you make out?

Patrick