This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

MATE snmp session

0

I need to examine snmp session that are longer that 30 seconds

I`m using this mate.config

Pdu snmp_pdu Proto snmp Transport udp/ip {
    Extract addr From ip.addr;
    Extract port From udp.port;
    Extract oid From snmp.name;
    Extract snmp_data From snmp.data;
};
Gop snmp_ses On snmp_pdu Match (addr, addr, port, port){
    Start();
    Stop(never);
};
Done;

So in one Gop i have all packets with same addr and ports. But after awhile (2-3 minutes) i have another snmp packets with sames ports, so them got to one Gop and i can`t use mate.snmp_ses.Duration>30 filter. What conditions i need to group snmp sessions?

asked 04 Mar '14, 06:38

Fullmetal8ender's gravatar image

Fullmetal8ender
11112
accept rate: 0%

One Answer:

0

So you're saying the first group of packets had an end and a new group started (or at least you want them in different GoPs)?

In that case you'll need some kind of Stop() condition other than "never". I don't know enough about SNMP to know what, if anything, you could use to do that.

(BTW I don't think you need to say "addr, addr" and "port, port" in the GoP match; just "addr, port" would be sufficient.)

answered 12 Mar '14, 17:45

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%