Wireshark mailing list archives
Re: tshark: How to capture SNMP traps (UDP port 162) that might be fragmented?
From: Sake Blok <sake () euronet nl>
Date: Sat, 15 Dec 2012 13:16:04 +0100
In case you have only fragments with snmp traps, you might want to capture all frames to/from port 162 and all fragments that have an offset not equal to 0. The only extra packets you will have in your trace will be fragments of packets that were not snmp traps. Which might not be to much noise :-) You can use the following BPF filter for it: ip and udp and (port 162 or ip[6:2] & 0x1fff != 0) Cheers, Sake On 14 dec 2012, at 10:17, Peter Valdemar Mørch wrote:
Thank you for your reply. I can see that I have been a little unclear with my words. I'm fine with capturing more than SNMP. Hard disk space is cheap and even all UDP is manageable in size for us. I would just like to end up after post-processing with all SNMP traps including fragmented ones, using only TShark. To this end, I tried your suggestion:tshark -2 -r unfiltered.pcap -R snmp -w snmp.pcapTo which I got: Segmentation fault (core dumped) I've created a tiny .pcap file containing two frames - a single two-fragment SNMP trap - that also exhibits this. It is attached. Hope the mailing list allows attachments... I'm just surprised it doesn't seem possible. Again, thank you for your reply! Petertshark -vTShark 1.8.2 Copyright 1998-2012 Gerald Combs <gerald () wireshark org> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (64-bit) with GLib 2.34.0, with libpcap, with libz 1.2.7, with POSIX capabilities (Linux), with SMI 0.4.8, with c-ares 1.9.1, with Lua 5.1, without Python, with GnuTLS 2.12.14, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP. Running on Linux 3.5.0-17-generic, with locale en_US.UTF-8, with libpcap version 1.3.0, with libz 1.2.7. Built using gcc 4.7.2. -- Peter Valdemar Mørch http://www.morch.com <linkDownFragmented.pcap>___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- tshark: How to capture SNMP traps (UDP port 162) that might be fragmented? Peter Valdemar Mørch (Dec 13)
- Re: tshark: How to capture SNMP traps (UDP port 162) that might be fragmented? Guy Harris (Dec 13)
- Re: tshark: How to capture SNMP traps (UDP port 162) that might be fragmented? Peter Valdemar Mørch (Dec 14)
- Re: tshark: How to capture SNMP traps (UDP port 162) that might be fragmented? Bill Meier (Dec 14)
- Re: tshark: How to capture SNMP traps (UDP port 162) that might be fragmented? Sake Blok (Dec 15)
- Re: tshark: How to capture SNMP traps (UDP port 162) that might be fragmented? Guy Harris (Dec 15)
- Re: tshark: How to capture SNMP traps (UDP port 162) that might be fragmented? Peter Valdemar Mørch (Dec 17)
- Re: tshark: How to capture SNMP traps (UDP port 162) that might be fragmented? Peter Valdemar Mørch (Dec 14)
- Re: tshark: How to capture SNMP traps (UDP port 162) that might be fragmented? Guy Harris (Dec 13)