Wireshark mailing list archives
tshark: How to capture SNMP traps (UDP port 162) that might be fragmented?
From: Peter Valdemar Mørch <peter () morch com>
Date: Thu, 13 Dec 2012 10:13:30 +0100
We want to capture SNMP traps. The simple tshark -f 'port 162' Doesn't work if there are SNMP traps that are fragmented, because then we don't get all the fragments. I understand. Wireshark now since rev 41216 saves all dependent packets too when one saves all packets according to the display filter [1] [2]. I've tried wireshark's version 1.8.2 and it works as described. I therefore expected this to work for tshark 1.8.2 too: tshark -f udp -w alludp.pcap # wait for it, wait for it... tshark -r alludp.pcap -R snmp -w snmp.pcap But it doesn't work. I only get one packet - it doesn't save all fragments. Two questions: 1) Isn't the tshark command above the tshark equivalent of the same use case? I expected it to work similarly (and save all fragments, just like wireshark). Is there something wrong with my mental model / expectations? Is there some other way to achieve this? 2) Is there some other way to capture exactly SNMP traps (UDP port 162) including fragmented ones with tshark avoiding having to install and start up wireshark? We're on a headless/X-less system so for us tshark + screen is much more practical than wireshark will ever be. 1: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3315 2: http://anonsvn.wireshark.org/viewvc?revision=41216&view=revision -- Peter Valdemar Mørch http://www.morch.com
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- tshark: How to capture SNMP traps (UDP port 162) that might be fragmented? Peter Valdemar Mørch (Dec 13)
- Re: tshark: How to capture SNMP traps (UDP port 162) that might be fragmented? Guy Harris (Dec 13)
- Re: tshark: How to capture SNMP traps (UDP port 162) that might be fragmented? Peter Valdemar Mørch (Dec 14)
- Re: tshark: How to capture SNMP traps (UDP port 162) that might be fragmented? Bill Meier (Dec 14)
- Re: tshark: How to capture SNMP traps (UDP port 162) that might be fragmented? Sake Blok (Dec 15)
- Re: tshark: How to capture SNMP traps (UDP port 162) that might be fragmented? Guy Harris (Dec 15)
- Re: tshark: How to capture SNMP traps (UDP port 162) that might be fragmented? Peter Valdemar Mørch (Dec 17)
- Re: tshark: How to capture SNMP traps (UDP port 162) that might be fragmented? Peter Valdemar Mørch (Dec 14)
- Re: tshark: How to capture SNMP traps (UDP port 162) that might be fragmented? Guy Harris (Dec 13)