Hi All, How do I get Wireshark to decode the octet strings circled red as ASCII? Many thanks in advance! asked 14 Mar '17, 05:00 Dmitriy edited 14 Mar '17, 08:41 |
One Answer:
You'll need to supply the MIB for the relevant OID's. See the Wireshark Wiki page on SNMP for more info. answered 14 Mar '17, 05:40 grahamb ♦ showing 5 of 9 show 4 more comments |
Many thanks: just realised they're custom, so no surprise )
Just tried linking all 3 MIBs (BROADHOP-MIB, BROADHOP-NOTIFICATION-MIB, BROADHOP-QNS-MIB) as explained w/o any luck:
"in the the "Preferences" dialog opened by the "Edit ==> Preferences" menu item, under the topic "Name resolution", you will find a button "SMI (MIB amd PIB) Modules" which opens an editing window where you can add/remove modules. The name of the file you add to the "mibs" directory mentioned above must be the same as the module name itself (found in the MIB itself at the start, just before "DEFINITIONS ::=BEGIN")."
I cannot see my OIDs in any of the MIBs though. Should they show up there exactly as they are, e.g. 1.3.6.1.4.1.26878.100.1.1.7?
MIBs are usually part of a hierarchy, so at the top of the MIB there will be an
IMPORTS
section that imports definitions from other mibs, then there will be definitions that add on to those imports.So the OID
1.3.6.1.4.1
is enterprises from RFC1155-SMI, which also defines iso, org, dod, internet, private which is the1.3.6.1.4
part,26878
is the organisation (BROADHOP), probably in the BROADHOP-MIB, and then the100.1.1.7
will be defined in parts in the series of BROADHOP MIB's.There are various MIB explorer tools that will show the OID's in a GUI or you can parse the MIB files by hand. Wireshark will require all MIB files in the chain to resolve a specific OID.
Thank you - I think I can decode them manually now:
BROADHOP-MIB file starts with this, referring to SNMPv2-SMI as you mentioned:
BROADHOP-MIB DEFINITIONS ::= BEGIN
IMPORTS MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, enterprises, Integer32 FROM SNMPv2-SMI DisplayString FROM SNMPv2-TC;
Further down I can see 26878 defined:
broadhop MODULE-IDENTITY
...<removed>...
and then the next 3 positions:
broadhopCommon OBJECT IDENTIFIER ::= { broadhop 100 }
broadhopCommonNotificationsGroup OBJECT IDENTIFIER ::= { broadhopCommon 1 }
broadhopNotificationParameters OBJECT IDENTIFIER ::= { broadhopCommonNotificationsGroup 1 }
and finally individual parameters, e.g. 7 is broadhopComponentName, 8 is broadhopComponentTime and so on.
Now wondering why Wireshark cannot do the same automatically...
The library used to resolve the OID to name is very strict about MIB conformance to the standard. I've seen many MIBs that violate one or another rule, thereby rejected by libsmi. Wireshark can be tuned to suppress these errors, so may have this problem too. Using smilint (or visiting simpleweb) allows you to test the MIBs conformance. Oh, one more thing, have you ticked 'enable OID resolution', and restarted Wireshark?
Jaap:
Surely I didn't: that worked a treat - many thanks!
grahamb:
It'd be great to add this "tick Enable OID resolution" step into the howto if possible.
Anyone can request editing privileges for the wiki. From the front page of the Wiki:
If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.
grahamb:
Done.