SNMP is BER encoded.
That means it is Tag,Length,Value encoded.
First byte 0x30 is the TAG it is encoded as follows:
First two bits specify the tag class: 0==universal.
next bit specifies whether the type is constructed or a primitive type
you can probably ignore this field.
The last 5 bits is the tag type ==16.
So 0x30 means Universal tag # 16 which is a SEQUENCE or in c-speak a struct.
Then follows the length of this field 0x43 bytes of data
followed by the value of the data.
For other ASN.1/BER protocols (snmp has not been converted yet) you
can enable Menu:Edit/Preferences/Protocols/BER and enable the
dissectors to show you the decode of the TAG and LENGTH bytes as well
as the data.
Google for a BER tutorial, it is pretty simple for most non-telco
based protocols which dont use the more advanced types of ASN.1
constructs.
Apart from BER there are two other very similar encodings DER and CER
that are very similar. In fact if you only look at packets and not
plan to create packets yourself, you can ignore DER and CER
completely since they only apply to the encoding phase.
The fourth ASN.1 encoding PER which is used for things like VoIP is
completely different and have a completely different structure and
method of encoding.
You dont want to decode PER by hand or even look at the hex data for PER.
On 7/19/05, Jose Vicente Quinto <joe.v.r.quinto@xxxxxxxxxxxxxxxxx> wrote:
> Hello everyone,
>
> Good day.
>
> I have an SNMP GET-Request PDU here with two Object IDs, the start of
> the SNMP packet is at row '0020' from the sequence '30 43 02 ...' up to
> the end ('... 08 01 05 00').
>
> 0000 00 50 81 20 00 00 00 0b db 80 e0 56 08 00 45 00 .P. .......V..E.
> 0010 00 61 88 7c 00 00 80 11 00 00 c8 01 1f 8c c8 01 .a.|............
> 0020 1f 23 0a 86 00 a1 00 4d 19 f7 30 43 02 01 00 04 .#.....M..0C....
> 0030 06 70 75 62 6c 69 63 a0 36 02 02 60 5d 02 01 00 .public.6..`]...
> 0040 02 01 00 30 2a 30 13 06 0f 2b 06 01 04 01 0b 02 ...0*0...+......
> 0050 0e 0b 01 03 01 01 09 01 05 00 30 13 06 0f 2b 06 ..........0...+.
> 0060 01 04 01 0b 02 0e 0b 01 03 01 01 08 01 05 00 ...............
>
> Can anyone explain to me what are the purpose of the initial values before
> the actual ObjectID (before '2b 06 01 ... 01 05 00')?
>
> Is it correct that "43" in the first 2 bytes -- '30 43', the '43' (decimal
> 67)
> is the length of the whole SNMP data received that must be decoded, parsed
> then encoded again for the sending of the RESPONSE PDU? After '30 43',
> I counted that there are 67 bytes total up to the end of the SNMP packet.
>
> Hoping for your reply as soon as you can.
>
> Thanks in advance.
>
> Regards,
> Jovic
>
>
> --
> Jose Vicente Quinto <joe.v.r.quinto@xxxxxxxxxxxxxxxxx>
> ADTX Systems, Inc.
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>
