Hello All, Just starting out using Wireshark and I have all kinds of SNMP traffic from a inside source going to several destination IP addresses in the private subnet range that are not IP's that I use in my network. Why would these addresses show? Thanks in advance. asked 08 Apr '13, 07:01 mccullrr |
2 Answers:
You should determine the source IP to see what kind of device it is. I have seen a couple of cases where laptops had printer drivers installed where the actual printer wasn't reachable but SNMP packets are still trying to get to them. This happens e.g. when a user installs a printer at home and brings the laptop to the company network. The laptop will try to contact the home printer (to check toner status and what not), and of course it will not receive an answer, but you'll still see the queries. Another way to find out what happens is to google for the SNMP code that is queried, e.g. "1.3.7...". Often, you can find what kind of device is supposed to be contacted. answered 08 Apr '13, 07:06 Jasper ♦♦ |
A lot of server management software (Dell Server Manager, HP, etc.) or printer management software (HP, Samsung) or any other network management tool tries to monitor components with SNMP. Sometimes those systems come with pre-configured IP addresses. I suggest to look at the SNMP requests and then search the OID (Wireshark will tell you) via google. That should reveal some further information. If you can't find anything (or don't understand the SNMP protocol) you can post the capture file somewhere (google docs, dropbox, cloudshark.org - BEWARE privacy issues!). BTW: What do you know about the system that sends the SNMP requests? Is that a server (possibly with nagios or similar) or a client machine? Regards answered 08 Apr '13, 07:18 Kurt Knochner ♦ edited 08 Apr '13, 07:27 |
Thanks guys. This is a web / file server and the info is showing get-request 1.3.6.1.2.1.1.2.0. Ah, you know what. It is running a software package called FMAudit that looks out and pulls data from printers on the network. Maybe that is causing this?
There's a few ways to test that... if FMAudit isn't critical then try to shut it down for some time to see if the SNMP packets disappear. If it is critical or you have someone who can tell you faster than looking at a trace, analyze it's configuration to see if the target IPs you noticed are configured as objects that are queried.
OID 1.3.6.1.2.1.1.2.0 is the sysObjectID. So, that piece of software is probably trying to identify the type of the devices (printer) on a pre-configured subnet.
As @Jasper said. Disable the FMAudit software and see what happens.