tshark: How to capture SNMP traps (UDP port 162) that might be fragmented?

[Peter Valdemar Mørch <peter () morch com>]

We want to capture SNMP traps. The simple

    tshark -f 'port 162'

Doesn't work if there are SNMP traps that are fragmented, because then we
don't get all the fragments. I understand.

Wireshark now since rev 41216 saves all dependent packets too when one
saves all packets according to the display filter [1] [2]. I've tried
wireshark's version 1.8.2 and it works as described.

I therefore expected this to work for tshark 1.8.2 too:

    tshark -f udp -w alludp.pcap
    # wait for it, wait for it...
    tshark -r alludp.pcap -R snmp -w snmp.pcap

But it doesn't work. I only get one packet - it doesn't save all fragments.
Two questions:

1) Isn't the tshark command above the tshark equivalent of the same use
case? I expected it to work similarly (and save all fragments, just like
wireshark). Is there something wrong with my mental model / expectations?
Is there some other way to achieve this?

2) Is there some other way to capture exactly SNMP traps (UDP port 162)
including fragmented ones with tshark avoiding having to install and start
up wireshark? We're on a headless/X-less system so for us tshark + screen
is much more practical than wireshark will ever be.

1: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3315
2: http://anonsvn.wireshark.org/viewvc?revision=41216&view=revision
-- 
Peter Valdemar Mørch
http://www.morch.com

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe