This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SNMP Capture issues.

0

Greetings and happy Monday! I am having a problem capturing SNMP packets from a MFP. Long story short a customer of ours has a few MFPS and their IT company uses a program to monitor the meter readings and from 1 of the 4 machines is not sending said readings. The parent company that needs the readings wanted me to go out and get a capture to make an attempt to capture what is wrong. The rep from the company sent me a bulletin showing the process of setting up Wireshark to filter the MAC address of the MFP (ether host XX:XX:XX:XX:XX:XX or multicast or broadcast) and one of the pieces of equipment require is a "dumb hub" (the one my company purchased is a dualcom DCSW-1005). After a 3 hour packet capture I sent the file to all of the parties and within roughly 30 mins I got a reply from the rep saying there was no SNMP information captured. I've gone back twice and even on the second attempt with a machine that is reporting hooked up along side of the other MFP still didn't capture the proper information. So my question is this, is there a certain way to setup Wireshark to scan for that information? Any suggestions will be greatly appreciated. I also want to throw out there that I am not an expert when it comes to using this program and that this is the first time that I have had to use it.

Thanks!! Chris, your neighborhood friendly copier technician :D

asked 05 Jun '17, 08:43

tul's gravatar image

tul
6112
accept rate: 0%

Basics first:

  1. Did it capture anything?
  2. Did it capture anything from this MFP?
  3. Is there any UDP traffic to be seen from the MFP?
  4. Is there any UDP traffic to destination port 161 or 162 from this MFP?

Without much more detailed information it's going to be hard to find out what's going on.

(05 Jun '17, 11:29) Jaap ♦

Answer 1. Yes it does 2/3. Yes it did filter out the MFP's and captures UDP traffic 4. not from ports 161 or 162 but from ports 4680 and 21328 Sorry for the information or lack of it.

(05 Jun '17, 11:37) tul

To add an update I talked to the rep and he wants me to do a capture with no filter. I guess to clarify my question is there a way to filter just SNMP traffic.

(05 Jun '17, 11:38) tul

You didn't answer 4. Is there any UDP traffic to destination port 161 or 162 from this MFP?

(05 Jun '17, 13:25) Jaap ♦
  1. not from ports 161 or 162 but from udp ports 4680 and 21328
(05 Jun '17, 13:26) tul

Okay, clearly a misunderstanding here. UDP packets have 2 ports, a source port and a destination port. The source port is used by the client process to send out packets to a destination port of a receiving server process. The server process often uses 'well known' ports for the service it provides, and UDP port 161 and 162 are well known to be related to SNMP. So 'from port so and so' is describing the client process, which is not what we're looking at. We're looking at the server process being addressed, using port 161 or 162, which are the destination port numbers for UDP packets from the MFP.

(05 Jun '17, 22:25) Jaap ♦

When capturing with the Dualcomm DCSW-1005, you must connect your PC to port 5. You can then connect the MFP to port 1, and then connect the network to port 2-4. Whatever is Tx/Rx on port 1 is mirrored to port 5 where you are capturing with your PC.

It is quite possible you didn't connect correctly and is the reason you are not seeing the traffic you are looking for.

Additionally, the Dualcomm device is not a "Dumb Hub", it's a switch that statically mirrors port 1 to 5. Dumb Hubs are basically a multi-port repeater which supports half-duplex only.

(06 Jun '17, 19:30) Rooster_50

@Jaap I see what you are saying. After the company's QA guy looked at the packet I had sent him yesterday it was determined that their server was doing some sort of SNMP request to my laptop and it was using ports 161 and 162. But it was not showing any SNMP traffic from anything else which leads to @rooster_50. thank you for that information. A comment the guy made yesterday honestly leads to what you are saying about the hub. He noticed most that there was little to no traffic in association to the copier so what you stated in your comment I think verifies what he was stating. Thank you for the help. I will not be going back to that place until 6/20 with the rep from the company and we will both be going over it and doing a packet capture so I will keep this in mind and will give an update around that time.

Thanks again!!!!!

(07 Jun '17, 11:42) tul
showing 5 of 8 show 3 more comments