This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi

Can someone please advise how I can trace udp snmptrap/162 port on a Windows 7 PRO system using wireshark as I never see anything, using udp.port==162 filter or no filter (capturing everything).

Using Windows sysinternals process monitor I can see the following when monitoring SNMP trap snmptrap.exe service:

Date: 27/02/2014 16:28:58
Thread: 0
Class: Network
Operation: UDP Receive
Result: SUCCESS
Path: FQDN:snmptrap -> FQDN:49589
Duration: 0.000000

Length: 43
seqnum: 0
connid: 0

Any ideas please,

I can see the trap using snmputil.exe from windows resource kit:

Incoming Trap:
  generic    = 6
  specific   = 1
  enterprise = .iso.org.dod.internet.private.enterprises.2854
  agent      = 192.168.154.114
  source IP  = 192.168.154.114
  community  = public

Thank you,

Best Regards - Colin

asked 27 Feb '14, 09:00

Colin's gravatar image

Colin
11113
accept rate: 0%

edited 28 Feb '14, 07:10

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237


As you did not say where and how you captured the traffic, I'll have to assume several things, which is not good. It would have been better, if you had added that information in the first place ;-)

Case #1: You captured on the SNMP client
In this case, you're not seeing outgoing traffic (SNMP trap sender -> SNMP trap receiver). This has been reported in many other cases. Very often the problem has been some interfering software like AV, IDS, VPN client, Firewall, Endpoint Security (especially Symantec). If there is any security software running on the capturing system, try to disable or uninstall that software and then repeat your tests. If disabling/uninstalling is not an option, you need a different system (without that software) to capture traffic, like a bootable Linux CDROM or USB flash drive (see Kali Linux).

See also: http://ask.wireshark.org/tags/outgoing/

Case #2: You captured on the SNMP server, aka SNMP trap receiver
In this case, you're not seeing incoming traffic (SNMP traps coming in). Well, it could be interfering software as well, so see case #1. But more often the problem is that the traffic is simply not reaching the target system. Please double check that everything is setup correctly.

Case #3: You captured on a system where you sent SNMP traps to the same system (localhost) for testing.
In this case, you cannot see that traffic in Wireshark, as WinPcap is unable to capture localhost traffic. What you need is RawCap.

If none of the above cases apply, please add more details about your environment.

Regards
Kurt

permanent link

answered 28 Feb '14, 07:22

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Hi Kurt,

Thank you for your reply. I'm running everything locally on a Windows 7 PRO PC, trapgen.exe -d 192.168.154.114 (third party tool) to generate trap and snmputil.exe (Windows resource kit) trap to capture; Microsoft Sysinternals Windows Process explorer to doubly verify.

I've repeated my test with rawcap.exe capturing the local lan interface, not localhost as that has static IP 192.168.154.114 bound and I specify that IP in my trap test, I'm pleased to report that rawcap.exe consistently captures the snmptrap; but with wireshark and its default winpcap it does not appear to capture snmptrap; latest stable and development releases tried.

I do have Symantec Endpoint Protection (SEP) enforced by GPO, can’t disable it even though I’m a member of local administrator group, :-(.

Best Regards - Colin

(02 Mar '14, 23:22) Colin

I’m fairly sure, but need to double check, that windows netmon tool also didn't capture snmptrap, so interesting to find that rawcap.exe did.

(02 Mar '14, 23:27) Colin

WinPCap does not capture "localhost" traffic, the OS doesn't allow the traffic to get down the stack to the point where WinPCap can see it. See the Loopback capture wiki page for more info.

(03 Mar '14, 02:04) grahamb ♦

Aha I think I understand, I have confused reference to "localhost" with "loopback" 127.0.0.1; "localhost" refers to all interfaces on localhost. Thank you.

(03 Mar '14, 03:38) Colin

Actually 'localhost' refers to intra system traffic, regardless of the IP address used (127.0.0.1 or 192.168.154.114), as long as the sender and recipient is the same system.

(03 Mar '14, 10:32) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×166
×69
×4
×1

question asked: 27 Feb '14, 09:00

question was seen: 7,335 times

last updated: 03 Mar '14, 10:32

p​o​w​e​r​e​d by O​S​Q​A