This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello All,

Just starting out using Wireshark and I have all kinds of SNMP traffic from a inside source going to several destination IP addresses in the private subnet range that are not IP's that I use in my network. Why would these addresses show?

Thanks in advance.

asked 08 Apr '13, 07:01

mccullrr's gravatar image

mccullrr
1111
accept rate: 0%


You should determine the source IP to see what kind of device it is. I have seen a couple of cases where laptops had printer drivers installed where the actual printer wasn't reachable but SNMP packets are still trying to get to them. This happens e.g. when a user installs a printer at home and brings the laptop to the company network. The laptop will try to contact the home printer (to check toner status and what not), and of course it will not receive an answer, but you'll still see the queries.

Another way to find out what happens is to google for the SNMP code that is queried, e.g. "1.3.7...". Often, you can find what kind of device is supposed to be contacted.

permanent link

answered 08 Apr '13, 07:06

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

A lot of server management software (Dell Server Manager, HP, etc.) or printer management software (HP, Samsung) or any other network management tool tries to monitor components with SNMP. Sometimes those systems come with pre-configured IP addresses.

I suggest to look at the SNMP requests and then search the OID (Wireshark will tell you) via google. That should reveal some further information. If you can't find anything (or don't understand the SNMP protocol) you can post the capture file somewhere (google docs, dropbox, cloudshark.org - BEWARE privacy issues!).

BTW: What do you know about the system that sends the SNMP requests? Is that a server (possibly with nagios or similar) or a client machine?

Regards
Kurt

permanent link

answered 08 Apr '13, 07:18

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 08 Apr '13, 07:27

Thanks guys. This is a web / file server and the info is showing get-request 1.3.6.1.2.1.1.2.0. Ah, you know what. It is running a software package called FMAudit that looks out and pulls data from printers on the network. Maybe that is causing this?

(08 Apr '13, 08:58) mccullrr

There's a few ways to test that... if FMAudit isn't critical then try to shut it down for some time to see if the SNMP packets disappear. If it is critical or you have someone who can tell you faster than looking at a trace, analyze it's configuration to see if the target IPs you noticed are configured as objects that are queried.

(08 Apr '13, 11:43) Jasper ♦♦

OID 1.3.6.1.2.1.1.2.0 is the sysObjectID. So, that piece of software is probably trying to identify the type of the devices (printer) on a pre-configured subnet.

As @Jasper said. Disable the FMAudit software and see what happens.

(08 Apr '13, 14:56) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×12

question asked: 08 Apr '13, 07:01

question was seen: 3,538 times

last updated: 08 Apr '13, 14:57

p​o​w​e​r​e​d by O​S​Q​A