Wireshark · Ethereal-users: [Ethereal-users] RE: Viewing 64bit counters in an ethereal capture

Ethereal-users: [Ethereal-users] RE: Viewing 64bit counters in an ethereal capture

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Dhanak, Vipul (Vip)" <vip@xxxxxxxxxx>

Date: Mon, 24 Jul 2006 17:44:00 -0400

Maybe I spoke too soon :)  In the previous capture, I had targeted just one single 64bit Counter OID, and it appeared to work fine.  

However, if I walk the ifXTable as a whole, while trying to get multiple OIDs in a single PDU, Wireshark no longer works as expected.  The OIDs after ifHcInOctets don't show up at all, and the value shows up garbled.

The result looks like this:

Simple Network Management Protocol
    Version: 1 (0)
    Community: public
    PDU type: RESPONSE (2)
    Request Id: 0x000000a7
    Error Status: NO ERROR (0)
    Error Index: 0
    Object identifier 1: 1.3.6.1.2.1.31.1.1.1.1.26 (IF-MIB::ifName.26)
    Value: STRING: at-0/0/1
    Object identifier 2: 1.3.6.1.2.1.31.1.1.1.2.26 (IF-MIB::ifInMulticastPkts.26)
    Value: Counter32: 0
    Object identifier 3: 1.3.6.1.2.1.31.1.1.1.3.26 (IF-MIB::ifInBroadcastPkts.26)
    Value: Counter32: 0
    Object identifier 4: 1.3.6.1.2.1.31.1.1.1.4.26 (IF-MIB::ifOutMulticastPkts.26)
    Value: Counter32: 0
    Object identifier 5: 1.3.6.1.2.1.31.1.1.1.5.26 (IF-MIB::ifOutBroadcastPkts.26)
    Value: Counter32: 0
    Object identifier 6: 1.3.6.1.2.1.31.1.1.1.6.26 (IF-MIB::ifHCInOctets.26)
    Value : 0x02347f5bda4c3013060b2b060102011f010101071a46046f299f153010060b2b060102011f010101081a4601003010060b2b060102011f010101091a4601003015060b2b060102011f0101010a1a46060233ee8996203013060b2b060102011f0101010b1a46046f0d1ab83010060b2b06010

When I walked just the ifHcInOctets.26, the resultant value was fine.  

Wireshark 0.99.2 produces incorrect results as well, plus I lose the ability to run filters such as : snmp.oid == "IF-MIB::ifHCInOctets.26"    which work fine with Wireshark 0.99.1Pre1 but show up as invalid with the newer build.

Is there anything I can do (config wise) that might help correcting how the 64bit counters show up ? 

Thanks.

Vip 

-----Original Message-----
From: Dhanak, Vipul (Vip) 
Sent: Wednesday, June 28, 2006 5:01 PM
To: Ethereal user support
Cc: 'ronnie sahlberg'
Subject: RE: Viewing 64bit counters in an ethereal capture

I installed Wireshark 0.99.1pre1 and tried opening my old packet capture.

The values there came up garbled such as follows :

    Object identifier 6: 1.3.6.1.2.1.31.1.1.1.6.86 (IF-MIB::ifHCInOctets.86)
    Value : 0x2578d9103013060b2b060102011f0101010756460400b87a543010060b2b060102011f01010108564601003010060b2b060102011f01010109564601003014060b2b060102011f0101010a564605787de4595c3014060b2b060102011f0101010b564605025130b2f33010060b2b060102011

However, I ran a new capture session using Wireshark and the 64bit results look fine now, and match what's returned by the snmp tool.  

    Object identifier 1: 1.3.6.1.2.1.31.1.1.1.6.86 (IF-MIB::ifHCInOctets.86)
    Value: 34461959

Thanks for your help! :)

Vip 

-----Original Message-----
From: ronnie sahlberg [mailto:ronniesahlberg@xxxxxxxxx] 
Sent: Wednesday, June 28, 2006 4:32 PM
To: Ethereal user support
Cc: vip@xxxxxxxxxx
Subject: Re: Viewing 64bit counters in an ethereal capture

please try the latest version of wireshark.

there has been fixes in wireshark for 64 bit integers/counters.



On 6/28/06, Dhanak, Vipul (Vip) <vip@xxxxxxxxxx> wrote:
> I'm currently using Ethereal 0.10.14 to try and  capture some SNMP traffic
> from a Cisco 7x00 switch for analysis.  I'm primarily interested in the
> stats reported in the ifXentry table (1.3.6.1.2.1.31.1.1.1) table which
> contains 64bit counters.
>
> The capture appears to happen as expected but the results I see in the
> output of the snmpget command is different than the value shown in Ethereal.
>  For example, during one of the polls the value shown from snmpget was
> (counter64) 2934035119 whereas Ethereal shows Value: Counter64:
> 15195617933287765935.
>
> Subsequent snmpget's of the counter show increasing values in my snmpget
> tool whereas the values seen within Ethereal don't seem to show this
> pattern, and often go down before going up during the next poll.
>
> Is this the expected behavior ?  i.e. do I need to do some conversion to the
> value shown in Ethereal in order to get the correct result ?  I've tried
> reverting back to older versions of Ethereal but the results remain the
> same.
>
> Any help with troubleshooting (or explaining this behavior) would be much
> appreciated.
>
> Regards.
>
> Vip.
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users

Prev by Date: Re: [Ethereal-users] Problem when capturing into several files
Next by Date: Re: [Ethereal-users] Problem when capturing into several files
Previous by thread: [Ethereal-users] Unsubscribe
Next by thread: [Ethereal-users] Hping 2 and Windows XP SP2 fixed
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$