This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

~/.wireshark/snmp_users Example

0

Hi Can somebody provide me with example of ~/.wireshark/snmp_users file for decrypting SNMPv3. I'm running tshark version 1.10.14. I tried example for 1.0.3 but it is not working any more and I'm getting following error:

tshark: Error loading table 'SNMP Users': snmp_users:28: unexpected char ' ' while looking for field engine_id

Thanks in advanced.

asked 02 Mar '16, 01:33

omadon's gravatar image

omadon
11114
accept rate: 0%


2 Answers:

1

it's not so much a question of OS but of the Wireshark/dissector version... 1.0 is too old and 2.0.2 may be too new as compared to your 1.10.14.

Here you go for 2.0.2:

# This file is automatically generated, DO NOT MODIFY. e3e3e3e3,"username","MD5","auth_password","DES","privacy_passwd"

The corresponding column headers are

Engine ID (hex string required), username, authentication model (MD5 or SHA1), password (position of the column implies that it is used for authentication), privacy protocol (DES, AES, AES192, AES256), and "privacy password".

answered 02 Mar '16, 04:15

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

Many thanks. It is working perfectly.

(02 Mar '16, 04:22) omadon

I've made it an Answer so that you could accept it (using the checkmark icon, not the thumbs up one, please).

(02 Mar '16, 04:25) sindy

@sindy,

Since you appear to have the magic info could you update the Wiki page?

(02 Mar '16, 05:29) grahamb ♦

@grahamb, I wouldn't mind doing so if I wasn't lacking the info about the purpose of the Engine ID column. If you take a closer look at the current state of the Wiki, you'll notice that the current example is basically correct - it does contain that column, and the description below also mentions it. The issue is that in the example, the column is empty (so the line starts with a comma). That would suggest that the value used to be optional in the past but isn't any more. To describe something on Wiki, I'd much prefer to know what I am talking about - what is the real role of the column (I suppose it is the key to select the proper row but I am not sure about it) and why the value has become mandatory somewhere between 1.0 and 1.10.14.

If you think all the above is not necessary, then the only modification required is to add a bogus hex string to the first column of the example.

(02 Mar '16, 06:04) sindy

More than that, the GUI Wireshark in 2.0.2 does permit the column to be empty, and saves the snmp_users file exactly the same way in such case (i.e. the line begins with a comma, no white space character in front of it). And on the next start, it doesn't complain and loads the row.

So after all it may even be that the configuration parser of 1.10.14 was too strict and the example is still valid, which would mean that the part of information on the Wiki which needs update would be exactly the explanation of the EngineID role.

(02 Mar '16, 06:14) sindy

As far as I can make out, this field is the engine ID in hex digits as specified in RFC3411.

(02 Mar '16, 06:58) grahamb ♦

That's not my point :-) My point is how the dissector uses the column in the decryption process and eventual consequences of its absence. I don't want to publish speculations on Wiki, and I am not fluent in C enough to read the SNMP dissector source and be sure I've understood it properly.

As said (less exactly), I suppose that, like in case of some other decryptions, Wireshark attempts decryption using, one by one until it succeeds, all rows in the table whose Engine ID is empty as well as all rows whose Engine ID matches the one of the captured packet, but it may not be the case if the success of the decryption cannot be unambiguously recognized. Whoever can reliably find the real behaviour in the dissector source is better qualified than me to edit this part of the Wiki.

(02 Mar '16, 07:13) sindy

Using the sample snmpv3 capture, I've found that the Engine ID field can be left blank, in which case the username and credentials will be attempted on all encrypted messages with that username, regardless of the Engine ID, or it can be set to the hex string corresponding to a particular Engine ID, as per the snmp.msgAuthoritativeEngineID field (displayed as msgAuthoritativeEngineID) in an snmp pdu to restrict the decryption using that particular set of credentials to pdu's containing that field value.

(02 Mar '16, 07:43) grahamb ♦

I've updated the Wiki page with the info I've found.

(02 Mar '16, 07:56) grahamb ♦
showing 5 of 9 show 4 more comments

0

Does the Wiki page for SNMP offer any help? It does note that the users file there is outdated though.

Can't you edit the snmp preferences in the GUI and then see what users file that produces?

answered 02 Mar '16, 03:01

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 02 Mar '16, 04:09

Unfortunately I don't have GUI, I have only CLI version of wireshark.

I used examples from your link but they are not working.

(02 Mar '16, 03:34) omadon

Don't you have another machine you can run the GUI on, and then copy the users file over?

(02 Mar '16, 03:51) grahamb ♦

Nope, I was hopping that somebody with linux version of Wireshark and the GUI would do me a favor :-)

(02 Mar '16, 03:55) omadon