Wireshark-users: Re: [Wireshark-users] Malformed Packet - SNMP Trap
From: Rexford Park <rex.park@xxxxxx>
Date: Fri, 15 Nov 2013 21:50:05 +0000 (GMT)
Thanks for the tip Patrick. I just finished a major rewrite of the library to support both forms of BER length encoding. Now everything is working well.
On Aug 29, 2013, at 07:47 PM, Patrick Klos <patrick@xxxxxxxx> wrote:
On Aug 29, 2013, at 07:47 PM, Patrick Klos <patrick@xxxxxxxx> wrote:
Rexford Park wrote:I've been working on an SNMP v2c Agent library for the Arduinoplatform and hit a bit of a roadblock. So far the library works fineon messages that are under 172 bytes long. Once the messages hit 172bytes they aren't picked up by SNMP Managers and Wireshark lists themas Malformed Packets.I'm hoping I can find someone here that is more familiar with SNMP andcan help me figure out what exactly is wrong with the packet so that Ican dig into my code and fix the issue. Is there a way to getWireshark to tell me where the packet has failed?Wireshark Output of a malformed trap:0000 a8 20 66 28 f1 69 de ad be ef fe ee 08 00 45 000010 00 9e 00 03 40 00 80 11 e3 8e 0a 23 01 3d 0a 230020 01 3b 00 a1 00 a2 00 8a 75 15
Standard UDP/IP packet so far.
0020 30 80
According to BER rules, the basic SNMP encapsulation includes a tag,
length and value. This tag is 0x30, which is a 'sequence'. The length
of the value is 128 bytes, which is indeed 0x80 hex. But encoding the
length in BER requires that values above 127 use a multi-byte form where
the first byte has the high bit set (to indicate multi-byte encoding)
and the low 7 bits indicate the length of the value. To encode the
value of 128, you would encode it in 2 bytes as this:
81 80
0020 02 01 01 040030 06 70 75 62 6c 69 63 a7 73 02 04 00 00 00 02 020040 01 00 02 01 00 30 65 30 10 06 08 2b 06 01 02 010050 01 03 00 43 04 00 00 09 c5 30 19 06 0a 2b 06 010060 06 03 01 01 04 01 00 06 0b 2b 06 01 04 01 82 990070 3b 01 00 01 30 10 06 0b 2b 06 01 04 01 82 99 3b0080 01 01 01 02 01 16 30 24 06 0b 2b 06 01 04 01 820090 99 3b 01 01 02 04 15 31 32 33 34 35 36 37 38 3900a0 30 31 32 33 34 35 36 37 38 39 30 31Thanks
Other then that, the rest of the packet looks fine to me.
So, your Ardunino's SNMP library needs a little work on its BER encoding
of lengths. (just change the '30 80' at the beginning of the SNMP data
to '30 81 80' and the packet would be OK)
Good luck! Let us know how you make out?
Patrick
- Prev by Date: Re: [Wireshark-users] Promiscuous/Monitor Modes
- Next by Date: [Wireshark-users] Wireshark 1.11.1 is now available
- Previous by thread: Re: [Wireshark-users] Promiscuous/Monitor Modes
- Next by thread: [Wireshark-users] Wireshark 1.11.1 is now available
- Index(es):
- Get Wireshark
- Download
- Code of Conduct