First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

tshark command to decode snmpv3 packets / traps

  • retag add tags

I am running the below command where I can see SNMP v3 tarps getting received at the receiver end. But the problem is I am not able to decode and see the snmp trap details / description.

[vagrant@osboxes ~]$ sudo tshark -f "udp port 162"
[sudo] password for vagrant:
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'
  1 0.000000000 10.191.245.253 -> 10.75.234.94 SNMP 550 encryptedPDU: privKey Unknown
  2 299.985368217 10.191.245.253 -> 10.75.234.94 SNMP 550 encryptedPDU: privKey Unknown
  3 496.713126083 10.196.28.26 -> 10.75.234.94 SNMP 550 encryptedPDU: privKey Unknown
  4 599.961958035 10.191.245.253 -> 10.75.234.94 SNMP 550 encryptedPDU: privKey Unknown
  5 899.955601562 10.191.245.253 -> 10.75.234.94 SNMP 550 encryptedPDU: privKey Unknown
  6 1199.988740264 10.191.245.253 -> 10.75.234.94 SNMP 550 encryptedPDU: privKey Unknown

please help me in getting the tshark command to decode snmpv3 packets / traps .

tshoraff's avatar
1
tshoraff
asked 2022-02-04 11:42:14 +0000
grahamb's avatar
23.8k
grahamb
updated 2022-02-04 11:44:48 +0000
edit flag offensive 0 remove flag close merge delete

Comments

The purpose of encrypton in SNMPv3 is rather exactly to prevent what you try to do. But as indicated if you have the SNMPv3 credentials you can get it done.But without it ....

hugo.vanderkooij's avatar hugo.vanderkooij (2022-02-04 12:53:31 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

You have to have setup a couple of configuration files, or rather UAT's, for this. Easiest to do that through Wireshark. They can be found under Name Resolution, and the SNMP dissector preferences. Or you can use the UAT override option -o "uat:<UAT>:\" ... \"", see the manual

The UAT's are smi_paths, smi_modules and snap_users

The first one contains the path(s) to the MIB files,
The second one contains the names of the MIBs to load,
The third one contains the authentication and encryption information.

Once these are filled with the right information for your setup, in the right format, the PDU's can be decrypted and contents parsed. As said, the format is written by Wireshark, so be far the easiest to get stated.

Jaap's avatar
13.7k
Jaap
answered 2022-02-04 12:35:11 +0000
edit flag offensive 0 remove flag delete link
more

Comments

I am a developer and I need to look for the description part every time, so I need to decode and verify all types of traps are going and getting received properly or not.

I have all the credentials with me just that I need the exact command to see SNMP v3 UDP traps coming from specific IP and a specific port.

can you please give me the tshark command to decode SNMP v3 traps by giving the credentials in it?

tshoraff's avatar tshoraff (2022-02-04 13:05:56 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer