Wireshark · Wireshark-users: Re: [Wireshark-users] filter SNMP traps on enterprise

[j.snelders@xxxxxxxxxx]

Graag gedaan:-)

Do you get matches when you use those filters?
snmp.name == 1.3.6.1.4.1.9.9.26.2.0.1
or
snmp.name == 1.3.6.1.4.1.9.9.26.2.0.1 || snmp.name == 1.3.6.1.4.1.9.9.26.2.0.2
|| snmp.name == 1.3.6.1.4.1.9.9.26.2.0.3 || snmp.name == 1.3.6.1.4.1.9.9.26.2.0.4
 

Thanks
Joan

On Thu, 23 Jul 2009 11:24:54 +0100 Tony Barratt wrote:
>Bedankt!
>Tried that.
>If use filter ="snmp.name contains 1.3.6.1.4.1.9.9.26" I get a subset of
>trapd (still 10 000s) of traps roughly in line with what I am expecting.
>
>For example:
>..
>SNMPv2-MIB::snmpTrapOID.0 (1.3.6.1.6.3.1.1.4.1.0): 1.3.6.1.4.1.9.9.26.2.0.2
>(SNMPv2SMI::enterprises.9.9.26.2.0.2)
>..
>Actually I am looking for 1.3.6.1.4.1.9.9.26.2.0.1 to 1.3.6.1.4.1.9.9.26.2.0.4
>traps.
>
>But if I use filter =="snmp.name contains 1.3.6.1.4.1.9.9.26.2"
>I get no matches.
>Which is mysterious cos  I was expecting for sure to match this line ->
SNMPv2-MIB::snmpTrapOID.0
>(1.3.6.1.6.3.1.1.4.1.0): 1.3.6.1.4.1.9.9.26.2.0.2 
>
>Any suggestions?
>
>TIA
>
>Tony
>Date: Wed, 22 Jul 2009 23:25:51 +0200
>From: "Sake Blok" <sake@xxxxxxxxxx>
>Subject: Re: [Wireshark-users] e:  filter SNMP  traps on enterprise
>To: "Community support list for Wireshark"
>	<wireshark-users@xxxxxxxxxxxxx>
>Message-ID: <8239C94436C44C3EB21EF85335434535@xxxxxxxxxxxxxx>
>Content-Type: text/plain; charset="iso-8859-1"
>
>yes, you can use "snmp.name contains 1.3.6.1.4.1" as a display filter within
>Wireshark too  :-) 
>
>Cheers,
>
>
>Sake
>  ----- Original Message ----- 
>  From: Tony Barratt 
>  To: wireshark-users@xxxxxxxxxxxxx 
>  Sent: Wednesday, July 22, 2009 11:10 PM
>  Subject: [Wireshark-users] e: filter SNMP traps on enterprise
>
>
>  Hi,
>
>  Thanks for that!
>  I am stuck with tshark.exe (did not know that was available till i read
>your post!) as only have access to windows version.
>  I will try this in a vista command window tomorrow.
>  Can I also do something equivalent inside wireshark GUI I wonder?
>
>  BR
>
>  Tony
>
>Date: Wed, 22 Jul 2009 19:55:57 +0200
>From: j.snelders@xxxxxxxxxx
>Subject: Re: [Wireshark-users] filter SNMP  traps on enterprise
>To: "Community support list for Wireshark"
>	<wireshark-users@xxxxxxxxxxxxx>
>Message-ID: <4A542FF20000B5DD@xxxxxxxxxxxxxxxxxxxxxxxxxx>
>Content-Type: text/plain; charset="US-ASCII"
>
>Hi Tony,
>
>Please see my previous post:
>http://www.wireshark.org/lists/wireshark-users/200907/msg00175.html
>
>You can also use:
>$ tshark -r 20080512161200.pcap  -R "snmp.name contains 1.3.6.1.4.1" -T
fields
>-e snmp.name | sort | uniq
>1.3.6.1.4.1.6247.4.8.5.13.0
>1.3.6.1.4.1.6247.4.9.2.1.16.2
>1.3.6.1.4.1.6247.4.9.2.1.16.3
>
>$ tshark -r 20080512161200.pcap -R "snmp.name contains 1.3.6.1.4.1.6247.4.9.2.1.7.2"
>-T fields -e snmp.name | sort | uniq
>1.3.6.1.4.1.6247.4.9.2.1.16.2
>
>HTH
>Joan
>
>On Wed, 22 Jul 2009 16:13:17 +0100 Tony Barratt wrote:
>  Hello List,
>
>I have just installed wireshark 1.2.1 on Windows and I want to use it to
>
>analyze some SNMP traps collect on a linux box with tcpdump,
>using tcpdump -nnvvXSs 1514 -i eth0 -C 15 udp and port 162 -w bert.cap.
>    
>  If I understand correctly from using google this will allow for trap 
>analysis.
>
>Have now loaded a 10 min capture file into wireshark, There are over 100
>
>000 packets within.
>I need to filter stuff out but the source is always the same because the
>
>traps arrive via a trap forwarder.
>One trap I am very interested in is  demandNbrCallDetails or because I 
>dont have the mibs loaded 1.3.6.1.4.1.9.9.26.2.0.4.
>
>Can someone please tell me if I can look inside the trap and  filter on
>    
>  say the enterprise ( 1.3.6.1.3.1.1.5 for example)
>or the agent-addr (196.168.12.12 for example) ?
>
>Thanks v much in advance
>
>Tony