Wireshark-users: Re: [Wireshark-users] tshark: How to capture SNMP traps (UDP port 162) that migh
Date: Sat, 15 Dec 2012 20:55:46 GMT
>Thank you for your reply.
>
>I can see that I have been a little unclear with my words. I'm fine with
>capturing more than SNMP. Hard disk space is cheap and even all UDP is
>manageable in size for us. I would just like to end up after
>post-processing with all SNMP traps including fragmented ones, using only
>TShark.
>
>To this end, I tried your suggestion:
>> tshark -2 -r unfiltered.pcap -R snmp -w snmp.pcap
>
>To which I got:
>Segmentation fault (core dumped)
>
>I've created a tiny .pcap file containing two frames - a single
>two-fragment SNMP trap - that also exhibits this. It is attached. Hope the
>mailing list allows attachments...
>
>I'm just surprised it doesn't seem possible.
>
>Again, thank you for your reply!
>
>Peter

Hi Peter,

I don't know how to do this with Wireshark and/or tshark.  I know our
PacketView product can reassemble IP packets AND run filters on those
reassembled packets, but it is a Windows app, and it looks like you want
a command line app that runs on Linux?

I have been playing with libpcap on a NetBSD machine.  It seems straight-
forward enough.  If I were to write up a quick program to reassemble IP
fragmented packets and then save only packets for UDP port 162 to a pcap file,
would that do the job for you?  Are there any other requirements you would
ask of this tool?

Regards,

Patrick 
========= For LAN/WAN Protocol Analysis, check out PacketView Pro! =========
    Patrick Klos                           Email: patrick@xxxxxxxx
    Network/Embedded Software Engineer     Web:   http://www.klos.com/
    Klos Technologies, Inc.                Phone: 603-471-2547
============================================================================