This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decoding SNMP trap OIDs and values

0

Hi All,

How do I get Wireshark to decode the octet strings circled red as ASCII?

Many thanks in advance!alt text

asked 14 Mar '17, 05:00

Dmitriy's gravatar image

Dmitriy
216711
accept rate: 0%

edited 14 Mar '17, 08:41


One Answer:

1

You'll need to supply the MIB for the relevant OID's. See the Wireshark Wiki page on SNMP for more info.

answered 14 Mar '17, 05:40

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Many thanks: just realised they're custom, so no surprise )

(14 Mar '17, 05:43) Dmitriy

Just tried linking all 3 MIBs (BROADHOP-MIB, BROADHOP-NOTIFICATION-MIB, BROADHOP-QNS-MIB) as explained w/o any luck:

"in the the "Preferences" dialog opened by the "Edit ==> Preferences" menu item, under the topic "Name resolution", you will find a button "SMI (MIB amd PIB) Modules" which opens an editing window where you can add/remove modules. The name of the file you add to the "mibs" directory mentioned above must be the same as the module name itself (found in the MIB itself at the start, just before "DEFINITIONS ::=BEGIN")."

I cannot see my OIDs in any of the MIBs though. Should they show up there exactly as they are, e.g. 1.3.6.1.4.1.26878.100.1.1.7?

(14 Mar '17, 08:06) Dmitriy
1

MIBs are usually part of a hierarchy, so at the top of the MIB there will be an IMPORTS section that imports definitions from other mibs, then there will be definitions that add on to those imports.

So the OID 1.3.6.1.4.1 is enterprises from RFC1155-SMI, which also defines iso, org, dod, internet, private which is the 1.3.6.1.4 part, 26878 is the organisation (BROADHOP), probably in the BROADHOP-MIB, and then the 100.1.1.7 will be defined in parts in the series of BROADHOP MIB's.

There are various MIB explorer tools that will show the OID's in a GUI or you can parse the MIB files by hand. Wireshark will require all MIB files in the chain to resolve a specific OID.

(14 Mar '17, 08:39) grahamb ♦

Thank you - I think I can decode them manually now:

BROADHOP-MIB file starts with this, referring to SNMPv2-SMI as you mentioned:

BROADHOP-MIB DEFINITIONS ::= BEGIN

IMPORTS MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, enterprises, Integer32 FROM SNMPv2-SMI DisplayString FROM SNMPv2-TC;

Further down I can see 26878 defined:

broadhop MODULE-IDENTITY

...<removed>...

::= { enterprises 26878 }

and then the next 3 positions:

broadhopCommon OBJECT IDENTIFIER ::= { broadhop 100 }

broadhopCommonNotificationsGroup OBJECT IDENTIFIER ::= { broadhopCommon 1 }

broadhopNotificationParameters OBJECT IDENTIFIER ::= { broadhopCommonNotificationsGroup 1 }

and finally individual parameters, e.g. 7 is broadhopComponentName, 8 is broadhopComponentTime and so on.

Now wondering why Wireshark cannot do the same automatically...

(14 Mar '17, 08:56) Dmitriy
1

The library used to resolve the OID to name is very strict about MIB conformance to the standard. I've seen many MIBs that violate one or another rule, thereby rejected by libsmi. Wireshark can be tuned to suppress these errors, so may have this problem too. Using smilint (or visiting simpleweb) allows you to test the MIBs conformance. Oh, one more thing, have you ticked 'enable OID resolution', and restarted Wireshark?

(14 Mar '17, 09:57) Jaap ♦

Jaap:

Surely I didn't: that worked a treat - many thanks!

grahamb:

It'd be great to add this "tick Enable OID resolution" step into the howto if possible.

(14 Mar '17, 10:11) Dmitriy

Anyone can request editing privileges for the wiki. From the front page of the Wiki:

If you are a member of the EditorGroup you can edit this wiki. To become an editor, create an account and send a request to [email protected] which includes your wiki username.
(14 Mar '17, 10:42) grahamb ♦

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(14 Mar '17, 10:43) grahamb ♦

grahamb:

Done.

(14 Mar '17, 10:56) Dmitriy
showing 5 of 9 show 4 more comments