Capture SNMP

asked 2020-04-23 17:28:22 +0000

vs2015sv gravatar image

Hello,

I was notified that one of my computer's has been sending SNMP requests to device's across the network. I am looking to capture the SNMP requsts sent from one of my workstations, but I just can't seem to figure out how to configure wireshark to only give me this specific information.

Any help would be appreciated.

Thank you

edit retag flag offensive close merge delete

Comments

Start with UDP port 161 (sometimes UDP 8161).

Chuckc gravatar imageChuckc ( 2020-04-23 17:35:20 +0000 )edit

I opened up "capture filters" and removed all filters. I created two filters - upd port 161 and udp port 162. Not seeing anything being captured at this time, but it may happen at a scheduled task.

I believe this is how I should configure wireshark?

vs2015sv gravatar imagevs2015sv ( 2020-04-23 17:38:27 +0000 )edit

"SNMP requests" are going to be 161 or some other custom port.
Port 162 is usually SNMP traps (alert messages).

Are the packets making it to your capture machine?
Examples here

Chuckc gravatar imageChuckc ( 2020-04-23 17:43:31 +0000 )edit

I now only have one capture filter setup SNMP - udp port 161 When I run wireshark, it is capturing a ton of information.

vs2015sv gravatar imagevs2015sv ( 2020-04-23 18:34:07 +0000 )edit

Are you looking to refine the capture?

Chuckc gravatar imageChuckc ( 2020-04-23 19:21:47 +0000 )edit
see more comments