Capture SNMP

  • retag add tags

Hello,

I was notified that one of my computer's has been sending SNMP requests to device's across the network. I am looking to capture the SNMP requsts sent from one of my workstations, but I just can't seem to figure out how to configure wireshark to only give me this specific information.

Any help would be appreciated.

Thank you

vs2015sv's avatar
1
vs2015sv
asked 2020-04-23 17:28:22 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Start with UDP port 161 (sometimes UDP 8161).

Chuckc's avatar Chuckc (2020-04-23 17:35:20 +0000) edit
more
  • delete

I opened up "capture filters" and removed all filters. I created two filters - upd port 161 and udp port 162. Not seeing anything being captured at this time, but it may happen at a scheduled task.

I believe this is how I should configure wireshark?

vs2015sv's avatar vs2015sv (2020-04-23 17:38:27 +0000) edit
more
  • delete

"SNMP requests" are going to be 161 or some other custom port.
Port 162 is usually SNMP traps (alert messages).

Are the packets making it to your capture machine?
Examples here

Chuckc's avatar Chuckc (2020-04-23 17:43:31 +0000) edit
more
  • delete

I now only have one capture filter setup SNMP - udp port 161 When I run wireshark, it is capturing a ton of information.

vs2015sv's avatar vs2015sv (2020-04-23 18:34:07 +0000) edit
more
  • delete

Are you looking to refine the capture?

Chuckc's avatar Chuckc (2020-04-23 19:21:47 +0000) edit
more
  • delete
add a comment see more comments