Simple Network Management Protocol (SNMP)

SNMP is used to monitor and manage devices on networks.

History

For an overview on SNMP, read this http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol

Protocol dependencies

Typically, SNMP uses UDP as its transport protocol. The well known UDP ports for SNMP traffic are 161 (SNMP) and 162 (SNMPTRAP). It can also run over TCP, Ethernet, IPX, and other protocols. ATM uses SNMP as its ILMI (Integrated Local Management Interface) protocol.

Wireshark

The SNMP dissector is fully functional. If properly configured allows to decrypt encrypted SNMPv3 packets.

MIB files

If built with the libsmi libraries, Wireshark uses those libraries to resolve numeric OIDs (e.g. 1.3.6.1.2.1.2.2.1.6.1) into human readable format (e.g. IF-MIB::ifPhysAddress.1). The default installation only contains some common MIB files so Wireshark won't be able to resolve all possible OIDs.

You can configure which MIB files are loaded by using the preference setting mentioned below. You can also specify "ALL" in the preferences, resulting in all MIBs being loaded.

When specifying the MIB modules to load, use a colon separator. Note that the MIB module name is not necessarily the name of the file itself. The MIB name to use may be discovered by looking for the DEFINITIONS keyword in the MIB file.

For Unix systems, whether your version of Wireshark is built with the libsmi libraries can be determined by opening the "About Wireshark" window with the "Help ==> About Wireshark" menu item. The third paragraph in the "Wireshark" tab of that window (which is the tab that is opened by default) will include the phrase "with SMI", followed by the version number of the libsmi libraries, if Wireshark is built with libsmi, and will include the phrase "without SMI" if Wireshark is built without libsmi. The OS X binaries available from the Wireshark Web site are built with the libsmi libraries. If Wireshark is built with libsmi, it assumes the MIB files are stored in directories under /usr/local/share/mibs.

For Windows, the binaries available from the Wireshark Web site are built with the libsmi libraries. The MIB files are stored e.g. in C:\Program Files\Wireshark\snmp\mibs.

In versions of Wireshark built with libsmi, in the the "Preferences" dialog opened by the "Edit ==> Preferences" menu item, under the topic "Name resolution", you will find a button "SMI (MIB amd PIB) Modules" which opens an editing window where you can add/remove modules. The name of the file you add to the "mibs" directory mentioned above must be the same as the module name itself (found in the MIB itself at the start, just before "DEFINITIONS ::=BEGIN").

XXX - are all MIB files in these dirs are inspected and only the "right" files loaded?

Many network-related MIBs definitions can be downloaded from http://bytesphere.com/mibs/detail.html or http://www.mibdepot.com.

Which MIB's do I need?

If you see any unresolved OID's you may need to add a MIB file to the Net-SNMP libs.

The following will give an example to add the missing information to display SampleCaptures/b6300a.cap correctly.

In packet 7 you see: SNMPv2-SMI::enterprise.253.8.64.4.2.1.5.10.14150900 resp. 1.3.6.1.4.1.253.8.64.4.2.1.5.10.14150900.

What's missing now is the enterprise with the id 253. The IANA Private Enterprise Numbers list tells us that this is Xerox.

Get hold of the Xerox MIBs from one of the links above and place them in the mibs directory (you need the printer-MIB as well) and change the file ending from .mib to .txt.

When loading a specified MIB module failed a warning message like: Cannot find module (IP-MIB): At line 0 in (none) will be shown on the console at Wireshark startup. WIN32: To have a console window already open at that time, set the preference setting "Open a console window" to "Always", Save the Preferences and restart Wireshark. Otherwise the console will be open too late and you'll see nothing.

Preference Settings

Wireshark's SNMP protocol preferences let you control the display of the OID in the info column, desegmentation of SNMP over TCP, and which MIB modules to load (see above).

The USMuserTable file preference allows the user to choose a file with the engine-ids, usernames and passwords in order to allow decryption of encrypted packets. The file is formated as follows:

Please note: the order of the parameters in the file will vary, depending on your version of wireshark! If the sample below doesn't work for you, go into WireShark -> Edit -> Preferences -> Protocols -> SNMP, and add the settings through the GUI; afterwards, look at the created snmp_users file to determine the order of the columns.

Recent versions of Wireshark seem to use the following format for snmp decryption (~/.wireshark/snmp_users)

# This file is automatically generated, DO NOT MODIFY.
,"admin","MD5","myauth","DES","mysecretkey"

The following example seems to be outdated (fix me, I don't want to delete it in case it offers value to someone).

# this is an example snmp_users_file (e.g. ~/.wireshark/snmp_users)

# comments start with a # and finish at the end of line
# empty lines are ignored

# each record has the following fileds
# engine-id username auth_pass priv_pass auth_proto priv_proto
# fileds are separated by whitespace
# engine-id, username and passwds can be either "double quoted" or hex
# double quoted strings are c-style strings and take escape chars
# a '*' as engine-id matches any any given engine-id
# auth_proto can be either MD5 or SHA1 (or just SHA). Defaults to MD5 if not given.
# priv_proto can be either DES or AES. Defaults to DES if not given.
# protocols are case-insensitive (md5 == MD5)
# first match wins (place localized entries before those for any engine)

80001F888059DC486145A26322 "pippo" "plutoxxx" "PLUTOxxx" MD5 DES

# pippo for any engine will use DES and MD5
* "pippo" "plutoxxx" "PLUTOxxx"


# SHA + DES
80001F888059DC486145A26322 "pippo2" "plutoxxx" "PLUTOxxx" SHA

# SHA + AES
80001F888059DC486145A26322 "pippo3" "plutoxxx" "PLUTOxxx" SHA AES

# MD5 + AES
80001F888059DC486145A26322 "pippo4" "plutoxxx" "PLUTOxxx" AES

Example traffic

SampleCaptures/b6300a.cap A bunch of GETs and RESPONSEs

Display Filter

A complete list of SNMP display filter fields can be found in the display filter reference

Capture Filter

You cannot directly filter SNMP protocols while capturing. However, if you know the UDP ports used (see above), you can filter on that ones.

SGMP (an ancestor of SNMP):

SNMPv1

SNMPv2

SNMPv2 (Community based)

SNMPv3

RMON

SMI

Discussion

Is there an easy way to find out, which MIB is really needed? From the example above: do I need all Xerox MIBs? Is there an online resource to find a map between the OID and the MIB? http://www.mibdepot.com can help on this

:-) After years thinking and reading RFCs and various other documents, today, I finally understood. "Simple" refers to "Network" not to "Management Protocol"! So it is a Management Protocol for Simple Networks not a Simple Protocol for Management of Networks... That explains why it's called "Simple". It was that Simple but it took me years to understand it! -- LuisOntanon

SNMP (last edited 2013-04-23 18:24:11 by GuyHarris)