Wireshark · Wireshark-users: Re: [Wireshark-users] Decoding SNMP OIDs using tshark

[Tom Simpson <tosimpson@xxxxxxxxxxxxxxx>]

Can you redirect your capture from Tshark, or even better use dumpcap,  over ssh to a Linux or OSX PC with the gui available?

I do this all the time with the following:

On the Linux or OSX pc with the GUI:

Open a command prompt and do the following:

mkfifo /tmp/nameoffile

ssh user@hostname “dumpcap –I nameofcaptureinterface  -P –w -  -f ‘anyfiltershere’ > /tmp/nameoffile

I typically have a capture user and an certificate I use with ssh to not have to deal with the password when I redirect over ssh as well.

I also have two interfaces in the PC I use for capture, one has no IP address so I don’t have to deal with filtering out any traffic to/from my capture PC.

Then in Wireshark add a new fifo interface that points to the /tmp/nameoffile and start your capture.

-- 

Thanks,

Tom Simpson

LAN/WAN Engineer

Forcht Group of Kentucky

859.259.9700 x538

"We all knew there was just one way to improve our odds for survival:

train, train, train. Sometimes, if your training is properly intense it

will kill you. More often -- much, much more often -- it will save your

life."  - Richard Marcinko, former US Navy SEAL Team Commander

From: Eric Ewanco <Eric.Ewanco@xxxxxxxxxxx>
Reply-To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
Date: Thursday, August 28, 2014 at 1:27 PM
To: "wireshark-users@xxxxxxxxxxxxx" <wireshark-users@xxxxxxxxxxxxx>
Subject: [Wireshark-users] Decoding SNMP OIDs using tshark

I am debugging an SNMP trap problem using tshark (TShark 1.6.6 (SVN Rev Unknown from unknown)) on a Linux platform (OpenSuSE 12.1). (The target platform does not support the wireshark GUI.) OIDs in PDUs are shown in numerical format even though I have MIBs installed in /usr/share/snmp/mibs with a link to that in /usr/local/share/mibs. I tried -V. There doesn't appear to be a tshark verbose or debugging option except for some memory debugging options. I have checked the man page and find nothing on SNMP or MIBs. I tried strace and I found a file /usr/share/wireshark/oid file but when I put the MIB directory there, I get a flex error, and a google search for what this mysterious file means turns up nothing. I can copy and paste the OIDs into an snmptranslate command and it correctly translates them. I tried creating a ~/.wireshark directory with smi_modules and smi_paths ("/usr/share/snmp/mibs"). I did a tshark -G currentprefs to see if there was a relevant preference but there doesn’t seem to be. I have googled this issue but I get way too much chaff to make any progress. I checked unix.stackexchange.com, superuser.com, and stackoverflow.com.

Example invocation:

tshark -R "snmp && ip.dst==<nms_ip>" -i eth0

Running as user "root" and group "root". This could be dangerous.

Capturing on eth0

  4.675952  <agent_ip> -> <nms_ip>  SNMP 115 sNMPv2-Trap 1.3.6.1.2.1.1.3.0 1.3.6.1.6.3.1.1.4.1.0

 

# more .wireshark/preferences

name_resolve: mtC

name_resolve_load_smi_modules: TRUE

snmp.display_oid: TRUE

snmp.desegment: TRUE

snmp.var_in_tree: TRUE

 

I tried without this preferences file as well.

 

How do I get the OIDs to be displayed in symbolic format, e.g. sysUpTimeInstance and snmpTrapOID.0?

 

Thanks for any help!

 

---

CONFIDENTIALITY NOTICE:
This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.

Forcht Group IT, 2400 South Main Street, Corbin, Ky.