ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-users: Re: [Wireshark-users] filter SNMP traps on enterprise

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Tony Barratt <tbarratt@xxxxxxxxxxx>
Date: Thu, 23 Jul 2009 11:24:54 +0100
Bedankt!
Tried that.
If use filter ="snmp.name contains 1.3.6.1.4.1.9.9.26" I get a subset of trapd (still 10 000s) of traps roughly in line with what I am expecting.

For example:
..
SNMPv2-MIB::snmpTrapOID.0 (1.3.6.1.6.3.1.1.4.1.0): 1.3.6.1.4.1.9.9.26.2.0.2 (SNMPv2SMI::enterprises.9.9.26.2.0.2)
..
Actually I am looking for 1.3.6.1.4.1.9.9.26.2.0.1 to 1.3.6.1.4.1.9.9.26.2.0.4 traps.

But if I use filter =="snmp.name contains 1.3.6.1.4.1.9.9.26.2"
I get no matches.
Which is mysterious cos I was expecting for sure to match this line -> SNMPv2-MIB::snmpTrapOID.0 (1.3.6.1.6.3.1.1.4.1.0): 1.3.6.1.4.1.9.9.26.2.0.2 
Any suggestions?

TIA

Tony
Date: Wed, 22 Jul 2009 23:25:51 +0200
From: "Sake Blok" <sake@xxxxxxxxxx>
Subject: Re: [Wireshark-users] e:  filter SNMP  traps on enterprise
To: "Community support list for Wireshark"
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <8239C94436C44C3EB21EF85335434535@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"
yes, you can use "snmp.name contains 1.3.6.1.4.1" as a display filter within Wireshark too :-) 
Cheers,


Sake
----- Original Message ----- From: Tony Barratt To: wireshark-users@xxxxxxxxxxxxx Sent: Wednesday, July 22, 2009 11:10 PM 
 Subject: [Wireshark-users] e: filter SNMP traps on enterprise


 Hi,

 Thanks for that!
 I am stuck with tshark.exe (did not know that was available till i read your post!) as only have access to windows version.
 I will try this in a vista command window tomorrow.
 Can I also do something equivalent inside wireshark GUI I wonder?

 BR

 Tony

Date: Wed, 22 Jul 2009 19:55:57 +0200
From: j.snelders@xxxxxxxxxx
Subject: Re: [Wireshark-users] filter SNMP  traps on enterprise
To: "Community support list for Wireshark"
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <4A542FF20000B5DD@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="US-ASCII"

Hi Tony,

Please see my previous post:
http://www.wireshark.org/lists/wireshark-users/200907/msg00175.html

You can also use:
$ tshark -r 20080512161200.pcap  -R "snmp.name contains 1.3.6.1.4.1" -T fields
-e snmp.name | sort | uniq
1.3.6.1.4.1.6247.4.8.5.13.0
1.3.6.1.4.1.6247.4.9.2.1.16.2
1.3.6.1.4.1.6247.4.9.2.1.16.3

$ tshark -r 20080512161200.pcap -R "snmp.name contains 1.3.6.1.4.1.6247.4.9.2.1.7.2"
-T fields -e snmp.name | sort | uniq
1.3.6.1.4.1.6247.4.9.2.1.16.2

HTH
Joan

On Wed, 22 Jul 2009 16:13:17 +0100 Tony Barratt wrote:
 Hello List,

I have just installed wireshark 1.2.1 on Windows and I want to use it to

analyze some SNMP traps collect on a linux box with tcpdump,
using tcpdump -nnvvXSs 1514 -i eth0 -C 15 udp and port 162 -w bert.cap.
If I understand correctly from using google this will allow for trap analysis. 

Have now loaded a 10 min capture file into wireshark, There are over 100

000 packets within.
I need to filter stuff out but the source is always the same because the

traps arrive via a trap forwarder.
One trap I am very interested in is demandNbrCallDetails or because I dont have the mibs loaded 1.3.6.1.4.1.9.9.26.2.0.4. 

Can someone please tell me if I can look inside the trap and  filter on
say the enterprise ( 1.3.6.1.3.1.1.5 for example) 
or the agent-addr (196.168.12.12 for example) ?

Thanks v much in advance

Tony
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube