This wiki has been migrated to https://gitlab.com/wireshark/wireshark/-/wikis/home and is now deprecated. Please use that site instead.
Differences between revisions 21 and 22
Revision 21 as of 2006-12-21 18:40:28
Size: 10236
Editor: GuyHarris
Comment: SNMP runs over protocols other than TCP and UDP (as the article itself says).
Revision 22 as of 2006-12-22 07:26:21
Size: 9994
Editor: JaapKeuter
Comment: Dropped UCD-SNMP reference
Deletions are marked like this. Additions are marked like this.
Line 14: Line 14:
== Example traffic ==

attachment:SampleCaptures/b6300a.cap A bunch of GETs and RESPONSEs
Line 24: Line 20:
Wireshark uses the [http://www.net-snmp.org/ Net-SNMP] or UCD SNMP libraries to resolve numeric OIDs (e.g. 1.3.6.1.2.1.2.2.1.6.1) into human readable format (e.g. IF-MIB::ifPhysAddress.1). The default installation only contains some common MIB files so Wireshark won't be able to resolve all possible OIDs. Wireshark uses the [http://www.net-snmp.org/ Net-SNMP] libraries to resolve numeric OIDs (e.g. 1.3.6.1.2.1.2.2.1.6.1) into human readable format (e.g. IF-MIB::ifPhysAddress.1). The default installation only contains some common MIB files so Wireshark won't be able to resolve all possible OIDs.
Line 27: Line 23:
At least on Windows you can also specify "ALL" in the preferences. You can also specify "ALL" in the preferences, resulting in all MIBs being loaded.
Line 49: Line 45:
Get hold of the Xerox MIB:s from one of the links above and place them in the mibs directory ( you need the printer-MIB as well) and change the file ending from .mib to .txt. Get hold of the Xerox MIBs from one of the links above and place them in the mibs directory (you need the printer-MIB as well) and change the file ending from .mib to .txt.
Line 57: Line 53:
== Example capture file == == Example traffic ==
Line 59: Line 55:
XXX - Add a simple example capture file to the SampleCaptures page and link from here. Keep it short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically. attachment:SampleCaptures/b6300a.cap A bunch of GETs and RESPONSEs

Simple Network Management Protocol (SNMP)

SNMP is used to monitor and manage devices on networks.

History

XXX - add a brief description of SNMP history

Protocol dependencies

Typically, SNMP uses ["UDP"] as its transport protocol. The well known UDP ports for SNMP traffic are 161 (SNMP) and 162 (SNMPTRAP). It can also run over ["TCP"], ["Ethernet"], ["IPX"], and other protocols. ["ATM"] uses SNMP as its ["ILMI"] (Integrated Local Management Interface) protocol.

Wireshark

The SNMP dissector is fully functional.

MIB files

Wireshark uses the [http://www.net-snmp.org/ Net-SNMP] libraries to resolve numeric OIDs (e.g. 1.3.6.1.2.1.2.2.1.6.1) into human readable format (e.g. IF-MIB::ifPhysAddress.1). The default installation only contains some common MIB files so Wireshark won't be able to resolve all possible OIDs.

You can configure which MIB files are loaded by using the preference setting mentioned below, the MIBS environment variable or by editing snmp.conf as described in the [http://www.net-snmp.org/tutorial/tutorial-5/commands/mib-options.html Net-SNMP Tutorial] (XXX - is this true for Win32?) (XXX - which setting takes precedence?). You can also specify "ALL" in the preferences, resulting in all MIBs being loaded.

When specifying the MIB modules to load, use a colon separator. Note that the MIB module name is not necessarily the name of the file itself. The MIB name to use may be discovered by looking for the DEFINITIONS keyword in the MIB file.

For Unix systems, the MIB files are stored in /usr/local/share/snmp/mibs. Also make sure you have installed the Net-SNMP libs, the package is usually named something like libsnmp (XXX - which version is needed?).

For Windows, the MIB files are stored e.g. in C:\Program Files\Wireshark\snmp\mibs. The Net-SNMP libs are installed by the Wireshark setup.

XXX - are all MIB files in these dirs are inspected and only the "right" files loaded?

Many network-related MIBs definitions can be downloaded from http://bytesphere.com/mibs/detail.html or http://www.mibdepot.com.

Which MIB's do I need?

If you see any unresolved OID's you may need to add a MIB file to the Net-SNMP libs.

The following will give an example to add the missing information to display attachment:SampleCaptures/b6300a.cap correctly.

In packet 7 you see: SNMPv2-SMI::enterprise.253.8.64.4.2.1.5.10.14150900 resp. 1.3.6.1.4.1.253.8.64.4.2.1.5.10.14150900.

What's missing now is the enterprise with the id 253. [http://www.iana.org/assignments/enterprise-numbers The IANA Private Enterprise Numbers list] tells us that this is Xerox.

Get hold of the Xerox MIBs from one of the links above and place them in the mibs directory (you need the printer-MIB as well) and change the file ending from .mib to .txt.

When loading a specified MIB module failed a warning message like: Cannot find module (IP-MIB): At line 0 in (none) will be shown on the console at Wireshark startup. WIN32: To have a console window already open at that time, set the preference setting "Open a console window" to "Always", Save the Preferences and restart Wireshark. Otherwise the console will be open too late and you'll see nothing.

Preference Settings

Wireshark's SNMP protocol preferences let you control the display of the OID in the info column, desegmentation of SNMP over TCP, and which MIB modules to load (see above).

Example traffic

attachment:SampleCaptures/b6300a.cap A bunch of GETs and RESPONSEs

Display Filter

A complete list of SNMP display filter fields can be found in the [http://www.wireshark.org/docs/dfref/s/snmp.html display filter reference]

  • Show only the SNMP based traffic:

     snmp 

Capture Filter

You cannot directly filter SNMP protocols while capturing. However, if you know the ["UDP"] ports used (see above), you can filter on that ones.

  • Capture SNMP traffic over the default ports (161 and 162):

     udp port 161 or udp port 162 

SGMP (an ancestor of SNMP):

SNMPv1

SNMPv2

SNMPv2 (Community based)

SNMPv3

RMON

Discussion

Is there an easy way to find out, which MIB is really needed? From the example above: do I need all Xerox MIBs? Is there an online resource to find a map between the OID and the MIB?

SNMP (last edited 2019-11-01 21:48:45 by GuyHarris)