Wireshark mailing list archives
Re: tshark: How to capture SNMP traps (UDP port 162) that might be fragmented?
From: patrick () klos com
Date: Sat, 15 Dec 2012 20:55:46 GMT
Thank you for your reply. I can see that I have been a little unclear with my words. I'm fine with capturing more than SNMP. Hard disk space is cheap and even all UDP is manageable in size for us. I would just like to end up after post-processing with all SNMP traps including fragmented ones, using only TShark. To this end, I tried your suggestion:tshark -2 -r unfiltered.pcap -R snmp -w snmp.pcapTo which I got: Segmentation fault (core dumped) I've created a tiny .pcap file containing two frames - a single two-fragment SNMP trap - that also exhibits this. It is attached. Hope the mailing list allows attachments... I'm just surprised it doesn't seem possible. Again, thank you for your reply! Peter
Hi Peter, I don't know how to do this with Wireshark and/or tshark. I know our PacketView product can reassemble IP packets AND run filters on those reassembled packets, but it is a Windows app, and it looks like you want a command line app that runs on Linux? I have been playing with libpcap on a NetBSD machine. It seems straight- forward enough. If I were to write up a quick program to reassemble IP fragmented packets and then save only packets for UDP port 162 to a pcap file, would that do the job for you? Are there any other requirements you would ask of this tool? Regards, Patrick ========= For LAN/WAN Protocol Analysis, check out PacketView Pro! ========= Patrick Klos Email: patrick () klos com Network/Embedded Software Engineer Web: http://www.klos.com/ Klos Technologies, Inc. Phone: 603-471-2547 ============================================================================ ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Re: tshark: How to capture SNMP traps (UDP port 162) that might be fragmented? patrick (Dec 15)