It is often useful or necessary to see the content, sequence and timing of SNMP requests, replies and traps. Here are quick directions for capturing them.
The following captures will be saved in binary, which is ideal for portability (imports to other utilities on other machines). If you ftp them, make sure you are first in binary mode in the ftp session. The command to enter binary mode, from the ftp command line, is 'binary' or simply 'bi'
You can alternatively view the capture in real time, in standard out or in the capture utility. You can save the output to text. Wireshark allows exports to csv files, which can be handy for sorting and for analyzing patterns.
The aim of this document is, however, to convey simple SNMP capture methods:
Solaris
snoop -v -o troubleshoot.pcap host <SpectroSERVER IP> and port 162 or port 161
Linux
tcpdump -w troubleshoot.pcap -vv -A -T snmp -s 0 "(dst port 162) or (src port 161) or (dst port 161) and (host <SpectroSERVER IP>)"
Windows
No packet capture tools are installed with Windows by default. Microsoft Network Monitor is free for download from Microsoft, and Wireshark, also free, is at wireshark.org.
The capture filter for Wireshark would be:
host <SpecroSERVER IP> && (udp port 161 or udp port 162)
Save the file in .pcap format.
In Network Monitor. use the display filter:
udp.port == 161 OR udp.Port== 162 AND IPv4.address == <SpecroSERVER IP>
Save the file in .cap format.
Message was edited by: Scott Orzechowski, to include the -s 0 option for tcpdump. Older versions of tcpdump limit packet sizes by default. This option unlimits it.