Wireshark mailing list archives
Re: Malformed Packet - SNMP Trap
From: Rexford Park <rex.park () me com>
Date: Fri, 15 Nov 2013 21:50:05 +0000 (GMT)
Thanks for the tip Patrick. I just finished a major rewrite of the library to support both forms of BER length encoding. Now everything is working well. On Aug 29, 2013, at 07:47 PM, Patrick Klos <patrick () klos com> wrote: Rexford Park wrote: I've been working on an SNMP v2c Agent library for the Arduino platform and hit a bit of a roadblock. So far the library works fine on messages that are under 172 bytes long. Once the messages hit 172 bytes they aren't picked up by SNMP Managers and Wireshark lists them as Malformed Packets. I'm hoping I can find someone here that is more familiar with SNMP and can help me figure out what exactly is wrong with the packet so that I can dig into my code and fix the issue. Is there a way to get Wireshark to tell me where the packet has failed? Wireshark Output of a malformed trap: 0000 a8 20 66 28 f1 69 de ad be ef fe ee 08 00 45 00 0010 00 9e 00 03 40 00 80 11 e3 8e 0a 23 01 3d 0a 23 0020 01 3b 00 a1 00 a2 00 8a 75 15 Standard UDP/IP packet so far. 0020 30 80According to BER rules, the basic SNMP encapsulation includes a tag, length and value. This tag is 0x30, which is a 'sequence'. The length of the value is 128 bytes, which is indeed 0x80 hex. But encoding the length in BER requires that values above 127 use a multi-byte form where the first byte has the high bit set (to indicate multi-byte encoding) and the low 7 bits indicate the length of the value. To encode the value of 128, you would encode it in 2 bytes as this:
81 80 0020 02 01 01 04 0030 06 70 75 62 6c 69 63 a7 73 02 04 00 00 00 02 02 0040 01 00 02 01 00 30 65 30 10 06 08 2b 06 01 02 01 0050 01 03 00 43 04 00 00 09 c5 30 19 06 0a 2b 06 01 0060 06 03 01 01 04 01 00 06 0b 2b 06 01 04 01 82 99 0070 3b 01 00 01 30 10 06 0b 2b 06 01 04 01 82 99 3b 0080 01 01 01 02 01 16 30 24 06 0b 2b 06 01 04 01 82 0090 99 3b 01 01 02 04 15 31 32 33 34 35 36 37 38 39 00a0 30 31 32 33 34 35 36 37 38 39 30 31 Thanks Other then that, the rest of the packet looks fine to me.So, your Ardunino's SNMP library needs a little work on its BER encoding of lengths. (just change the '30 80' at the beginning of the SNMP data to '30 81 80' and the packet would be OK)
Good luck! Let us know how you make out? Patrick
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Malformed Packet - SNMP Trap Rexford Park (Nov 15)