This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to match oid-value pairs in tshark with variable-bindings

0

Lets say I have a set-request with 3 variable-bindings. The first OID is set to an int, second OID is set to an octet string, and third OID is set to an int. When I use tshark to write the pcap to a csv file, use the following command:

tshark -r C:\mypcap.pcapng -Y "frame.number==24 and !snmp.value.null" -T fields -e snmp.value.int -e snmp.value.octets -E header=y -E separator=,

This prints out all the data I need however it is impossible to see what OIDs match up with what values, since the values are printed in order based on type and not OID. So the result of the above query would show int,int,octet string when the actual order in the packet is int, octet string, int. Is there a different display filter combination for variable-bindings that will show me what each OID was set to?

asked 11 Jan '15, 17:56

lp4968's gravatar image

lp4968
11334
accept rate: 0%


One Answer:

0

I have prepared a short groovy script to cover this issue. In my case I convert pcap files to snmpset scripts. I am extracting OID int g32 and octet values. Then I check the OID type with snmptranslate command. Finally when I know the type I take first value from concrete type.

I can share my script if you are interested.

The prerequisite is that you have snmp tools package installed in your system and have all MIBs you are interested in.

answered 12 Jan '16, 04:52

Bartosz%20Michalik's gravatar image

Bartosz Mich...
61
accept rate: 0%