Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Decoding SNMP OIDs using tshark

From: Eric Ewanco <Eric.Ewanco () genband com>
Date: Thu, 28 Aug 2014 17:27:37 +0000
I am debugging an SNMP trap problem using tshark (TShark 1.6.6 (SVN Rev Unknown from unknown)) on a Linux platform 
(OpenSuSE 12.1). (The target platform does not support the wireshark GUI.) OIDs in PDUs are shown in numerical format 
even though I have MIBs installed in /usr/share/snmp/mibs with a link to that in /usr/local/share/mibs. I tried -V. 
There doesn't appear to be a tshark verbose or debugging option except for some memory debugging options. I have 
checked the man page and find nothing on SNMP or MIBs. I tried strace and I found a file /usr/share/wireshark/oid file 
but when I put the MIB directory there, I get a flex error, and a google search for what this mysterious file means 
turns up nothing. I can copy and paste the OIDs into an snmptranslate command and it correctly translates them. I tried 
creating a ~/.wireshark directory with smi_modules and smi_paths ("/usr/share/snmp/mibs"). I did a tshark -G 
currentprefs to see if there was a relevant preference but there doesn't seem to be. I have googled this issue but I 
get way too much chaff to make any progress. I checked unix.stackexchange.com, superuser.com, and stackoverflow.com.
Example invocation:
tshark -R "snmp && ip.dst==<nms_ip>" -i eth0
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
  4.675952  <agent_ip> -> <nms_ip>  SNMP 115 sNMPv2-Trap 1.3.6.1.2.1.1.3.0 1.3.6.1.6.3.1.1.4.1.0

# more .wireshark/preferences
name_resolve: mtC
name_resolve_load_smi_modules: TRUE
snmp.display_oid: TRUE
snmp.desegment: TRUE
snmp.var_in_tree: TRUE

I tried without this preferences file as well.

How do I get the OIDs to be displayed in symbolic format, e.g. sysUpTimeInstance and snmpTrapOID.0?

Thanks for any help!

Attachment: Eric J Ewanco.vcf
Description: Eric J Ewanco.vcf

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: