This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to add mib files into wireshark

0

Hi All,

I understood that it's possible to add SNMP MIB files into the Wireshark. The question is:

  • How could I add the MIB file there?

  • Eventually, when it's added, should I expect to read / write values from the device, like other SNMP applications, like MG-SOFT? Or it's merely here to help reading the capture traffic meaning instead of seeing OIDs in the capture file, I would see object names.

Kind regards, Nima

asked 02 Aug '17, 01:19

Nima's gravatar image

Nima
6113
accept rate: 0%

edited 02 Aug '17, 01:25

sindy's gravatar image

sindy
6.0k4851

Not a complete answer but may make the answer for the first part not important for you. Wireshark is a read only tool, i.e. it doesn't generate any traffic at all. So you'll only see SNMP messages which were sent by other sources (other machines and other applications running on the same machine where the capture was taken), and having the right MIB loaded only allows Wireshark to translate OIDs into human-readable form as you expect.

(02 Aug '17, 01:37) sindy

One Answer:

1

SNMP MIB configuration can be found in the Preferences, under Name Resolution.

First use SMI Paths to setup the list of paths where to look for the MIB files.

Second use SMI Modules to define the MIB modules (that is the module names found in the MIB files) to be loaded.

Once that is done mark the checkbox Enable OID resolution.

You will be asked to restart Wireshark, which is needed to actually load the modules from the MIB files.

The library used to resolve OIDs to names from the modules is rather picky on MIB module correctness. If there are bugs in the MIB modules it will complain loudly. You may mark the checkbox Suppress SMI errors, but it still may not work. Also make sure MIB modules where object and syntaxes are imported from can be loaded.

answered 02 Aug '17, 04:41

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

edited 02 Aug '17, 04:42

Thanks for the answer. I also found out that apparently, it's very important for Wireshark that mib file name must be the same as module name which is described inside that mib file. it directly means that you cannot use a shared mib file for several devices.

(02 Aug '17, 06:34) Nima

Ah yes, another peculiarity of libsmi, the library doing the real work for Wireshark. I don't understand your next comment though: '...it directly means that you cannot use a shared mib file for several devices.' If you want to have a MIB module specific per device type and the various device types have common objects, then collect these in a separate MIB and import them in your device type specific MIBs.

(02 Aug '17, 07:05) Jaap ♦