TLDR: How can I find IP addresses that is communicated via SNMP in the data =>variable-bindings
field ?
I am using wireshark to view my pcap and I use the snmp filter. But I would like to go further by searching for IP addresses that is communicated via SNMP in the data =>variable-bindings
field.
Here is an SNMP record example from Wireshark:
data get-response variable-bindings: 20 items 1.3.6.1.2.1.4.20.1.2.10.50.9.178: 1 1.3.6.1.2.1.4.20.1.2.10.10.40.7: 40 1.3.6.1.2.1.4.20.1.3.10.50.39.17: 255.255.255.0 ...
I would like to find every addresses under the OID 1.3.6.1.2.1.4.20.1.*
or search for specific IP that is in variable-bindings value.
I have already tried these filters:
snmp.variable_bindings == 10.50.9.178
snmp.data == 10.50.9.178 // Won't work because it search for integer values
Note:
I do not want to search for the source and destination IPs
OID:
– 1.3.6.1.2.1.4.20.1 – ipAddrEntry
OID descriptions : http://www.alvestrand.no/objectid/1.3.6.1.2.1.4.20.1.html
Best Answer
Honestly, this solution isn't ideal because the tool you're using isn't ideal. I get that this is something you're just exploring and trying to understand, I would simply advise against using it as a go-to method in the future. Using the CLI with tcpdump or tshark will afford you much greater filtering abilities as it allows you to use things like sed, awk, grep, etc.
While I don't know anything about Netdisco, I suspect that it isn't using the exact method that Wireshark is using to filter things, so this may not be the best example.
The correct solution to achieve exactly what you want inside Wireshark is to build a packet dissector:
https://www.wireshark.org/docs/wsdg_html_chunked/ChapterDissection.html
However, for the quick and dirty, which is what it sounds like you want:
I took an identical capture using one of the boxes in my lab, if you're looking for just IP address:
This will display any packets with IPv4 address values returned in the responses. However, because address and subnet mask are passed back in the same format, you will have to be able to discern which are real addresses and which are subnet masks.
In addition, you can break out the addresses (and masks) into their own column, then sort them in order which should leave all of the subnet masks at the bottom of the list.
First: Right Click the specific field you want to build into a column, in our case it's the IpAddress Value:
Second: Sort. (Apologies on the image scale)
I hope this helps.