This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filter out duplicate SNMP Request

0

Hi, I'm using Wireshark to solve a SNMP problem. I have some large pcap-files full of SNMP traffic. Some SNMP Requests have the same SNMP Request-ID. Is it possible to filter out duplicate SNMP Request IDs with a display filter or is there a solution with tshark?

Thanks for your help!

asked 31 Mar '11, 11:54

DrJekyll's gravatar image

DrJekyll
612
accept rate: 0%

2 Answers:

1

Hey, did someone say 'tshark'? :-)

Yes, you can achieve what you want with tshark and some command line tools (I can't think of a way to do it within Wireshark):

$ tshark -r tmp.cap -R snmp -T fields -e snmp.request_id 
1614590690
1614590690
1614590690
1614590690
$

As you can see, my tmp.cap file does indeed have a duplicate request-id. You can now get a list of all duplicate request-id's by piping the output through 'sort' and 'uniq -d':

$ tshark -r tmp.cap -R snmp -T fields -e snmp.request_id | sort | uniq -d
1614590690
$

(uniq -d just lists duplicate entries, see 'man uniq')

If you are running tshark on Windows, you can install Cygwin to get a (bash) shell and command line tools.

answered 31 Mar '11, 13:03

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks SYNbit. This looks great. I will try it out! Why couldn't I remember these helpful, little unix tools... :-)

(31 Mar '11, 13:10) DrJekyll

0

Maybe you captured duplicate frames by mirroring more than one switch port or spanning a VLAN. You can try to remove duplicates by running your trace through editcap (installed together with Wireshark) using the -d parameter:

editcap -d <infile> <outfile>

The outfile should contain no more duplicates. You may have to adjust editcap's performance using -D or -w, check editcap -hfor a list of parameters.

answered 31 Mar '11, 12:42

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Hi Jasper, thanks for your quick response. I don't have duplicate frames. The SNMP Server repeats his requests with the same request id when he didn't get a reply to a request. I just need the request id which are duplicate.

(31 Mar '11, 12:51) DrJekyll

In that case it may be possible to find those by using the export menu to save the packet list to a CSV file and import that into an excel file or a database. I'd make sure to add a custom column containing the ID (if there is a display filter that reports those, I have no SNMP trace atm) so that it gets exported with the rest. Then you can use makros or database statements to find your duplicate IDs, but don't ask me how to program excel, it's not in my current skillset - maybe just sorting by ID column can help :-)

(31 Mar '11, 12:54) Jasper ♦♦

Probably I will have to do something like this. Can't find a wireshark solution.

(31 Mar '11, 13:00) DrJekyll

I added a column for snmp.request_id field. But the field is always empty. Perhaps there is a bug in wireshark :-(

(31 Mar '11, 13:04) DrJekyll

Which version are you running, it works fine on 1.5.0 SVN 36017 (development version)

(31 Mar '11, 13:09) SYN-bit ♦♦

I'm still using 1.4.0. I will update...

(31 Mar '11, 13:11) DrJekyll
showing 5 of 6 show 1 more comments