Ask Your Question
0

tshark command to decode snmpv3 packets / traps

asked 2022-02-04 11:42:14 +0000

tshoraff gravatar image

updated 2022-02-04 11:44:48 +0000

grahamb gravatar image

I am running the below command where I can see SNMP v3 tarps getting received at the receiver end. But the problem is I am not able to decode and see the snmp trap details / description.

[[email protected] ~]$ sudo tshark -f "udp port 162"
[sudo] password for vagrant:
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'
  1 0.000000000 10.191.245.253 -> 10.75.234.94 SNMP 550 encryptedPDU: privKey Unknown
  2 299.985368217 10.191.245.253 -> 10.75.234.94 SNMP 550 encryptedPDU: privKey Unknown
  3 496.713126083 10.196.28.26 -> 10.75.234.94 SNMP 550 encryptedPDU: privKey Unknown
  4 599.961958035 10.191.245.253 -> 10.75.234.94 SNMP 550 encryptedPDU: privKey Unknown
  5 899.955601562 10.191.245.253 -> 10.75.234.94 SNMP 550 encryptedPDU: privKey Unknown
  6 1199.988740264 10.191.245.253 -> 10.75.234.94 SNMP 550 encryptedPDU: privKey Unknown

please help me in getting the tshark command to decode snmpv3 packets / traps .

edit retag flag offensive close merge delete

Comments

The purpose of encrypton in SNMPv3 is rather exactly to prevent what you try to do. But as indicated if you have the SNMPv3 credentials you can get it done.But without it ....

hugo.vanderkooij gravatar imagehugo.vanderkooij ( 2022-02-04 12:53:31 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-02-04 12:35:11 +0000

Jaap gravatar image

You have to have setup a couple of configuration files, or rather UAT's, for this. Easiest to do that through Wireshark. They can be found under Name Resolution, and the SNMP dissector preferences. Or you can use the UAT override option -o "uat:<UAT>:\" ... \"", see the manual

The UAT's are smi_paths, smi_modules and snap_users

The first one contains the path(s) to the MIB files,
The second one contains the names of the MIBs to load,
The third one contains the authentication and encryption information.

Once these are filled with the right information for your setup, in the right format, the PDU's can be decrypted and contents parsed. As said, the format is written by Wireshark, so be far the easiest to get stated.

edit flag offensive delete link more

Comments

I am a developer and I need to look for the description part every time, so I need to decode and verify all types of traps are going and getting received properly or not.

I have all the credentials with me just that I need the exact command to see SNMP v3 UDP traps coming from specific IP and a specific port.

can you please give me the tshark command to decode SNMP v3 traps by giving the credentials in it?

tshoraff gravatar imagetshoraff ( 2022-02-04 13:05:56 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2022-02-04 11:42:14 +0000

Seen: 131 times

Last updated: Feb 04