Wireshark – Search for IP Addresses in SNMP Data Field

snmpwireshark

TLDR: How can I find IP addresses that is communicated via SNMP in the data =>variable-bindings field ?

I am using wireshark to view my pcap and I use the snmp filter. But I would like to go further by searching for IP addresses that is communicated via SNMP in the data =>variable-bindings field.

Here is an SNMP record example from Wireshark:

data
    get-response
        variable-bindings: 20 items
            1.3.6.1.2.1.4.20.1.2.10.50.9.178: 1
            1.3.6.1.2.1.4.20.1.2.10.10.40.7: 40
            1.3.6.1.2.1.4.20.1.3.10.50.39.17: 255.255.255.0
            ...

I would like to find every addresses under the OID 1.3.6.1.2.1.4.20.1.*
or search for specific IP that is in variable-bindings value.

I have already tried these filters:

snmp.variable_bindings == 10.50.9.178
snmp.data == 10.50.9.178  // Won't work because it search for integer values

Note:
I do not want to search for the source and destination IPs

OID:
– 1.3.6.1.2.1.4.20.1 – ipAddrEntry

OID descriptions : http://www.alvestrand.no/objectid/1.3.6.1.2.1.4.20.1.html

Best Answer

Honestly, this solution isn't ideal because the tool you're using isn't ideal. I get that this is something you're just exploring and trying to understand, I would simply advise against using it as a go-to method in the future. Using the CLI with tcpdump or tshark will afford you much greater filtering abilities as it allows you to use things like sed, awk, grep, etc.

While I don't know anything about Netdisco, I suspect that it isn't using the exact method that Wireshark is using to filter things, so this may not be the best example.

The correct solution to achieve exactly what you want inside Wireshark is to build a packet dissector:

https://www.wireshark.org/docs/wsdg_html_chunked/ChapterDissection.html

However, for the quick and dirty, which is what it sounds like you want:

I took an identical capture using one of the boxes in my lab, if you're looking for just IP address:

snmp.value.ipv4 (or snmp.value.ipv6)

This will display any packets with IPv4 address values returned in the responses. However, because address and subnet mask are passed back in the same format, you will have to be able to discern which are real addresses and which are subnet masks.

In addition, you can break out the addresses (and masks) into their own column, then sort them in order which should leave all of the subnet masks at the bottom of the list.

First: Right Click the specific field you want to build into a column, in our case it's the IpAddress Value:

Second: Sort. (Apologies on the image scale)

I hope this helps.

Best Answer

Related Solutions

Ethernet – Wireshark Etherent II Trailer field

Switch – Using SNMP retrieve MAC addresses of directly connected machines to a switch

Related Topic