Just starting out using Wireshark and I have all kinds of SNMP traffic from a inside source going to several destination IP addresses in the private subnet range that are not IP's that I use in my network. Why would these addresses show?
Thanks in advance.
asked 08 Apr '13, 07:01
You should determine the source IP to see what kind of device it is. I have seen a couple of cases where laptops had printer drivers installed where the actual printer wasn't reachable but SNMP packets are still trying to get to them. This happens e.g. when a user installs a printer at home and brings the laptop to the company network. The laptop will try to contact the home printer (to check toner status and what not), and of course it will not receive an answer, but you'll still see the queries.
Another way to find out what happens is to google for the SNMP code that is queried, e.g. "1.3.7...". Often, you can find what kind of device is supposed to be contacted.
answered 08 Apr '13, 07:06
A lot of server management software (Dell Server Manager, HP, etc.) or printer management software (HP, Samsung) or any other network management tool tries to monitor components with SNMP. Sometimes those systems come with pre-configured IP addresses.
I suggest to look at the SNMP requests and then search the OID (Wireshark will tell you) via google. That should reveal some further information. If you can't find anything (or don't understand the SNMP protocol) you can post the capture file somewhere (google docs, dropbox, cloudshark.org - BEWARE privacy issues!).
BTW: What do you know about the system that sends the SNMP requests? Is that a server (possibly with nagios or similar) or a client machine?
answered 08 Apr '13, 07:18
Kurt Knochner ♦
edited 08 Apr '13, 07:27