Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tshark: How to capture SNMP traps (UDP port 162) that might be fragmented?

From: patrick () klos com
Date: Sat, 15 Dec 2012 20:55:46 GMT
Thank you for your reply.

I can see that I have been a little unclear with my words. I'm fine with
capturing more than SNMP. Hard disk space is cheap and even all UDP is
manageable in size for us. I would just like to end up after
post-processing with all SNMP traps including fragmented ones, using only
TShark.

To this end, I tried your suggestion:

tshark -2 -r unfiltered.pcap -R snmp -w snmp.pcap


To which I got:
Segmentation fault (core dumped)

I've created a tiny .pcap file containing two frames - a single
two-fragment SNMP trap - that also exhibits this. It is attached. Hope the
mailing list allows attachments...

I'm just surprised it doesn't seem possible.

Again, thank you for your reply!

Peter


Hi Peter,

I don't know how to do this with Wireshark and/or tshark.  I know our
PacketView product can reassemble IP packets AND run filters on those
reassembled packets, but it is a Windows app, and it looks like you want
a command line app that runs on Linux?

I have been playing with libpcap on a NetBSD machine.  It seems straight-
forward enough.  If I were to write up a quick program to reassemble IP
fragmented packets and then save only packets for UDP port 162 to a pcap file,
would that do the job for you?  Are there any other requirements you would
ask of this tool?

Regards,

Patrick 
========= For LAN/WAN Protocol Analysis, check out PacketView Pro! =========
    Patrick Klos                           Email: patrick () klos com
    Network/Embedded Software Engineer     Web:   http://www.klos.com/
    Klos Technologies, Inc.                Phone: 603-471-2547
============================================================================
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: