Wireshark-users: Re: [Wireshark-users] e: filter SNMP traps on enterprise
From: "Sake Blok" <sake@xxxxxxxxxx>
Date: Wed, 22 Jul 2009 23:25:51 +0200
yes, you can use "snmp.name contains 1.3.6.1.4.1" as a display filter within Wireshark too :-)
 
Cheers,
 
 
Sake
----- Original Message -----
Sent: Wednesday, July 22, 2009 11:10 PM
Subject: [Wireshark-users] e: filter SNMP traps on enterprise

Hi,

Thanks for that!
I am stuck with tshark.exe (did not know that was available till i read your post!) as only have access to windows version.
I will try this in a vista command window tomorrow.
Can I also do something equivalent inside wireshark GUI I wonder?

BR

Tony
Date: Wed, 22 Jul 2009 19:55:57 +0200
From: j.snelders@xxxxxxxxxx
Subject: Re: [Wireshark-users] filter SNMP  traps on enterprise
To: "Community support list for Wireshark"
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <4A542FF20000B5DD@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="US-ASCII"

Hi Tony,

Please see my previous post:
http://www.wireshark.org/lists/wireshark-users/200907/msg00175.html

You can also use:
$ tshark -r 20080512161200.pcap  -R "snmp.name contains 1.3.6.1.4.1" -T fields
-e snmp.name | sort | uniq
1.3.6.1.4.1.6247.4.8.5.13.0
1.3.6.1.4.1.6247.4.9.2.1.16.2
1.3.6.1.4.1.6247.4.9.2.1.16.3

$ tshark -r 20080512161200.pcap -R "snmp.name contains 1.3.6.1.4.1.6247.4.9.2.1.7.2"
-T fields -e snmp.name | sort | uniq
1.3.6.1.4.1.6247.4.9.2.1.16.2

HTH
Joan

On Wed, 22 Jul 2009 16:13:17 +0100 Tony Barratt wrote:
  
Hello List,

I have just installed wireshark 1.2.1 on Windows and I want to use it to

analyze some SNMP traps collect on a linux box with tcpdump,
using tcpdump -nnvvXSs 1514 -i eth0 -C 15 udp and port 162 -w bert.cap.
    
  
If I understand correctly from using google this will allow for trap 
analysis.

Have now loaded a 10 min capture file into wireshark, There are over 100

000 packets within.
I need to filter stuff out but the source is always the same because the

traps arrive via a trap forwarder.
One trap I am very interested in is  demandNbrCallDetails or because I 
dont have the mibs loaded 1.3.6.1.4.1.9.9.26.2.0.4.

Can someone please tell me if I can look inside the trap and  filter on
    
  
say the enterprise ( 1.3.6.1.3.1.1.5 for example)
or the agent-addr (196.168.12.12 for example) ?

Thanks v much in advance

Tony
    
       




------------------------------

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users


End of Wireshark-users Digest, Vol 38, Issue 43
***********************************************

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

  


-- 
Tony Barratt
Senior Consultant
Mobile: +44 (0) 7795380202
http://www.mibtree.com

Mibtree holds the IBM AAA Tivoli Deployment accreditation  which is the highest level of accreditation available to IBM Tivoli business partners.

This message may contain confidential, proprietary or legal privileged information and is intended only for the use of the addressee named above. 
If you are not the intended recipient of this message you are hereby notified that you must not use, disseminate, copy it in any form or take any action in relience on it. 
If you have received this message in error please delete it and any copies of it and notify MIBTREE LIMITED immediately.
Anyviews expressed in this message are those of the individual sender, except where the message specifically states otherwise and the sender is authorised to state them to be the views of MIBTREE LIMITED.


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe