Wireshark-users: Re: [Wireshark-users] filter SNMP traps on enterprise
Date: Wed, 22 Jul 2009 19:55:57 +0200
Hi Tony,

Please see my previous post:
http://www.wireshark.org/lists/wireshark-users/200907/msg00175.html

You can also use:
$ tshark -r 20080512161200.pcap  -R "snmp.name contains 1.3.6.1.4.1" -T fields
-e snmp.name | sort | uniq
1.3.6.1.4.1.6247.4.8.5.13.0
1.3.6.1.4.1.6247.4.9.2.1.16.2
1.3.6.1.4.1.6247.4.9.2.1.16.3

$ tshark -r 20080512161200.pcap -R "snmp.name contains 1.3.6.1.4.1.6247.4.9.2.1.7.2"
-T fields -e snmp.name | sort | uniq
1.3.6.1.4.1.6247.4.9.2.1.16.2

HTH
Joan

On Wed, 22 Jul 2009 16:13:17 +0100 Tony Barratt wrote:
>Hello List,
>
>I have just installed wireshark 1.2.1 on Windows and I want to use it to
>
>analyze some SNMP traps collect on a linux box with tcpdump,
>using tcpdump -nnvvXSs 1514 -i eth0 -C 15 udp and port 162 -w bert.cap.

>If I understand correctly from using google this will allow for trap 
>analysis.
>
>Have now loaded a 10 min capture file into wireshark, There are over 100
>
>000 packets within.
>I need to filter stuff out but the source is always the same because the
>
>traps arrive via a trap forwarder.
>One trap I am very interested in is  demandNbrCallDetails or because I 
>dont have the mibs loaded 1.3.6.1.4.1.9.9.26.2.0.4.
>
>Can someone please tell me if I can look inside the trap and  filter on

>say the enterprise ( 1.3.6.1.3.1.1.5 for example)
>or the agent-addr (196.168.12.12 for example) ?
>
>Thanks v much in advance
>
>Tony