Wireshark-users: Re: [Wireshark-users] tshark: How to capture SNMP traps (UDP port 162) that migh
>Thank you for your reply.
>
>I can see that I have been a little unclear with my words. I'm fine with
>capturing more than SNMP. Hard disk space is cheap and even all UDP is
>manageable in size for us. I would just like to end up after
>post-processing with all SNMP traps including fragmented ones, using only
>TShark.
>
>To this end, I tried your suggestion:
>> tshark -2 -r unfiltered.pcap -R snmp -w snmp.pcap
>
>To which I got:
>Segmentation fault (core dumped)
>
>I've created a tiny .pcap file containing two frames - a single
>two-fragment SNMP trap - that also exhibits this. It is attached. Hope the
>mailing list allows attachments...
>
>I'm just surprised it doesn't seem possible.
>
>Again, thank you for your reply!
>
>Peter
Hi Peter,
I don't know how to do this with Wireshark and/or tshark. I know our
PacketView product can reassemble IP packets AND run filters on those
reassembled packets, but it is a Windows app, and it looks like you want
a command line app that runs on Linux?
I have been playing with libpcap on a NetBSD machine. It seems straight-
forward enough. If I were to write up a quick program to reassemble IP
fragmented packets and then save only packets for UDP port 162 to a pcap file,
would that do the job for you? Are there any other requirements you would
ask of this tool?
Regards,
Patrick
========= For LAN/WAN Protocol Analysis, check out PacketView Pro! =========
Patrick Klos Email: patrick@xxxxxxxx
Network/Embedded Software Engineer Web: http://www.klos.com/
Klos Technologies, Inc. Phone: 603-471-2547
============================================================================