Tech Tip: How to capture SNMP packets

Document created by ScottOrzechowski Employee on Nov 17, 2015Last modified by ScottOrzechowski Employee on Apr 18, 2016
Version 2Show Document
  • View in full screen mode

It is often useful or necessary to see the content, sequence and timing of SNMP requests, replies and traps. Here are quick directions for capturing them.

The following captures will be saved in binary, which is ideal for portability (imports to other utilities on other machines). If you ftp them, make sure you are first in binary mode in the ftp session. The command to enter binary mode, from the ftp command line, is 'binary' or simply 'bi'

You can alternatively view the capture in real time, in standard out or in the capture utility. You can save the output to text. Wireshark allows exports to csv files, which can be handy for sorting and for analyzing patterns.

The aim of this document is, however, to convey simple SNMP capture methods:


Solaris

snoop -v -o troubleshoot.pcap host <SpectroSERVER IP> and port 162 or port 161


Linux

 

tcpdump -w troubleshoot.pcap -vv -A -T snmp -s 0 "(dst port 162) or (src port 161) or (dst port 161) and (host <SpectroSERVER IP>)"


Windows

No packet capture tools are installed with Windows by default. Microsoft Network Monitor is free for download from Microsoft, and Wireshark, also free, is at wireshark.org.

The capture filter for Wireshark would be:
host <SpectroSERVER IP> && (udp port 161 or udp port 162)

Save the file in .pcap format.


In Network Monitor. use the display filter:
udp.port == 161 OR udp.Port== 162 AND IPv4.address == <SpectroSERVER IP>

Save the file in .cap format.

 

Message was edited by: Scott Orzechowski, to include the -s 0 option for tcpdump.  Older versions of tcpdump limit packet sizes by default.  This option unlimits it.

 

This document was generated from the following discussion: Tech Tip: How to capture SNMP packets

Attachments

    Outcomes