Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Ethereal-users: [Ethereal-users] Re: SNMP Capture Data inquiry

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
Date: Wed, 20 Jul 2005 06:57:28 -0400
SNMP is BER encoded.
That means it is Tag,Length,Value encoded.

First byte 0x30  is the TAG  it is encoded as follows:
First two bits specify the tag class: 0==universal.
next bit specifies whether the type is constructed or a primitive type
 you can probably ignore this field.
The last 5 bits is the tag type ==16.

So 0x30 means Universal tag # 16   which is a SEQUENCE   or in c-speak a struct.
Then follows the length of this field 0x43  bytes of data
followed by the value of the data.



For other ASN.1/BER protocols (snmp has not been converted yet) you
can enable Menu:Edit/Preferences/Protocols/BER  and enable the
dissectors to show you the decode of the TAG and LENGTH bytes as well
as the data.


Google for a BER tutorial, it is pretty simple for most non-telco
based protocols which dont use the more advanced types of ASN.1
constructs.


Apart from BER  there are two other very similar encodings DER and CER
that are very similar. In fact if you only look at packets and not
plan to create packets yourself,   you can ignore DER and CER
completely since they only apply to the encoding phase.



The fourth ASN.1 encoding PER which is used for things like VoIP is
completely different and have a completely different structure and
method of encoding.

You dont want to decode PER by hand or even look at the hex data for PER.




On 7/19/05, Jose Vicente Quinto <joe.v.r.quinto@xxxxxxxxxxxxxxxxx> wrote:
> Hello everyone,
> 
> Good day.
> 
> I have an SNMP GET-Request PDU here with two Object IDs, the start of 
> the SNMP packet is at row '0020' from the sequence '30 43 02 ...' up to
> the end ('... 08 01 05 00'). 
> 
> 0000   00 50 81 20 00 00 00 0b db 80 e0 56 08 00 45 00  .P. .......V..E.
> 0010   00 61 88 7c 00 00 80 11 00 00 c8 01 1f 8c c8 01  .a.|............
> 0020   1f 23 0a 86 00 a1 00 4d 19 f7 30 43 02 01 00 04  .#.....M..0C....
> 0030   06 70 75 62 6c 69 63 a0 36 02 02 60 5d 02 01 00  .public.6..`]...
> 0040   02 01 00 30 2a 30 13 06 0f 2b 06 01 04 01 0b 02  ...0*0...+......
> 0050   0e 0b 01 03 01 01 09 01 05 00 30 13 06 0f 2b 06  ..........0...+.
> 0060   01 04 01 0b 02 0e 0b 01 03 01 01 08 01 05 00     ...............
> 
> Can anyone explain to me what are the purpose of the initial values before 
> the actual ObjectID (before '2b 06 01 ... 01 05 00')?
> 
> Is it correct that "43" in the first 2 bytes -- '30 43', the '43' (decimal
> 67)
> is the length of the whole SNMP data received that must be decoded, parsed
> then encoded again for the sending of the RESPONSE PDU? After '30 43', 
> I counted that there are 67 bytes total up to the end of the SNMP packet.
> 
> Hoping for your reply as soon as you can.
> 
> Thanks in advance.
> 
> Regards,
> Jovic
> 
> 
> -- 
> Jose Vicente Quinto <joe.v.r.quinto@xxxxxxxxxxxxxxxxx>
> ADTX Systems, Inc.
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>