This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Form Snmptrap command from Wireshark capture

0

Hey guys, I was hunting forum posts to see if something similar was ever asked and did not find it already...

I am working to reproduce an issue in my monitoring system and to do so, it would greatly help if I could use snmptrap to send an identical trap as the device I'm troubleshooting.

I wanted to ask and see if there was already an easy to follow guide that explains how to read the capture from wireshark and formulate a snmptrap command to mimic the trap.

I am rather green with wireshark and snmptrap so any advice is appreciative.

asked 10 Jun '14, 14:39

BenB's gravatar image

BenB
11113
accept rate: 0%

One Answer:

1

it would work for SNMP v1 and v2 traps, however not for v3 traps (due to the authentication). So, here is how I would do it. I can't write the whole script for you, as that's quite some work...

First 'print' the content of SNMP trap frames with tshark and pipe the output into your script (you'll have to write that!).

tshark -nr input-snmpv1-trap.pcap -Y "snmp.trap" -V | yourscript.pl

Result of tshark:

User Datagram Protocol, Src Port: 1040 (1040), Dst Port: 162 (162)
    Source port: 1040 (1040)
    Destination port: 162 (162)
    Length: 66
    Checksum: 0x823c [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
Simple Network Management Protocol
    version: version-1 (0)
    community: public
    data: trap (4)
        trap
            enterprise: 1.3.6.1.4.1.4.1.2.21 (iso.3.6.1.4.1.4.1.2.21)
            agent-addr: 127.0.0.1 (127.0.0.1)
            generic-trap: coldStart (0)
            specific-trap: 0
            time-stamp: 0
            variable-bindings: 1 item
                1.3.6.1.2.1.2.1.0: 
                    Object Name: 1.3.6.1.2.1.2.1.0 (iso.3.6.1.2.1.2.1.0)
                    Value (Integer32): 33

Second: Within your script, look for the SNMP 'parameters' to form the snmptrap command, which are (just some examples)

version: version-1 (0)
community: public
Object Name: 1.3.6.1.2.1.2.1.0 (iso.3.6.1.2.1.2.1.0) Value (Integer32): 33

Unfortunately SNMPv1 traps look differently than SNMPv2 traps and the same holds true for the snmptrap commands (see the man page). Furthermore there are several value types (int32, etc.) which you'll have to translate to snmptrap parameters.

Result: Yes, it's possible to create a snmptrap command based on the capture file, but the script that parses the tshark output has to do 'some work' to make it happen.

Regards
Kurt

answered 12 Jun '14, 06:44

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks Kurt! This was extremely helpful, I'll get to writing the script, and then post my results.

(19 Jun '14, 14:21) BenB